java - Devtool 拒绝在框架中显示 "My uri"，因为它将 'X-Frame-Options' 设置为 'DENY'

Question

在我的 Java Spring MVC Web 应用程序中，我使用 Hibernate、H2 和 JPA 来存储数据。我正在尝试使用 devtool 可视化数据库中的数据。我也用Spring Security ，以保护我的应用程序。

不幸的是，我无法加载页面 http://localhost:8080/h2-console/login.do?jsessionid=bcdfd8af18f9fa24d1874314750585bd 这应该是显示我的数据库记录。

它在 Chrome 中提示:

Refused to display 'http://localhost:8080/h2-console/query.jsp?jsessionid=bcdfd8af18f9fa24d1874314750585bd' in a frame because it set 'X-Frame-Options' to 'DENY'. 

在 Firefox 中，它提示:

Load denied by X-Frame-Options: http://localhost:8080/h2-console/query.jsp?jsessionid=bcdfd8af18f9fa24d1874314750585bd does not permit framing.

我的 Spring Security 配置是:

@Configuration
static class WebFormsSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable();
        http
            .authorizeRequests()
                .antMatchers("/h2-console/**").permitAll();
        http
            .authorizeRequests()
                .antMatchers("/welcome").permitAll()
                .antMatchers("/account/**").hasRole("ADMIN")
                .antMatchers("/account/**").authenticated()
                .and()
            .formLogin()
                .loginPage("/login").permitAll()
                .defaultSuccessUrl("/welcome")
                .and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));    
    }
}

Answer 1

默认情况下，Spring Security 禁用 iframe 内的渲染，请参阅 Spring Security Reference :

20.1.5 X-Frame-Options

[...]

A more modern approach to address clickjacking is to use X-Frame-Options header:

X-Frame-Options: DENY

The X-Frame-Options response header instructs the browser to prevent any site with this header in the response from being rendered within a frame. By default, Spring Security disables rendering within an iframe.

但您可以更改默认值，请参阅 Spring Security Reference :

Similarly, you can customize frame options to use the same origin within Java Configuration using the following:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http
      // ...
          .headers()
              .frameOptions()
                  .sameOrigin();
    }
}

如果您想使用来自不同来源的框架，您可以禁用 X-Frame-Options HTTP header ，请参阅 FrameOptionsConfig#disable :

Prevents the header from being added to the response.