在我的 Java Spring MVC Web 应用程序中,我使用 Hibernate、H2 和 JPA 来存储数据。我正在尝试使用 devtool 可视化数据库中的数据。我也用Spring Security ,以保护我的应用程序。
不幸的是,我无法加载页面 http://localhost:8080/h2-console/login.do?jsessionid=bcdfd8af18f9fa24d1874314750585bd
这应该是显示我的数据库记录。
它在 Chrome 中提示:
Refused to display 'http://localhost:8080/h2-console/query.jsp?jsessionid=bcdfd8af18f9fa24d1874314750585bd' in a frame because it set 'X-Frame-Options' to 'DENY'.
在 Firefox 中,它提示:
Load denied by X-Frame-Options: http://localhost:8080/h2-console/query.jsp?jsessionid=bcdfd8af18f9fa24d1874314750585bd does not permit framing.
我的 Spring Security 配置是:
@Configuration
static class WebFormsSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable();
http
.authorizeRequests()
.antMatchers("/h2-console/**").permitAll();
http
.authorizeRequests()
.antMatchers("/welcome").permitAll()
.antMatchers("/account/**").hasRole("ADMIN")
.antMatchers("/account/**").authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/welcome")
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
}
最佳答案
默认情况下,Spring Security 禁用 iframe 内的渲染,请参阅 Spring Security Reference :
20.1.5 X-Frame-Options
[...]
A more modern approach to address clickjacking is to use X-Frame-Options header:
X-Frame-Options: DENY
The X-Frame-Options response header instructs the browser to prevent any site with this header in the response from being rendered within a frame. By default, Spring Security disables rendering within an iframe.
但您可以更改默认值,请参阅 Spring Security Reference :
Similarly, you can customize frame options to use the same origin within Java Configuration using the following:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers() .frameOptions() .sameOrigin(); } }
如果您想使用来自不同来源的框架,您可以禁用 X-Frame-Options
HTTP header ,请参阅 FrameOptionsConfig#disable :
Prevents the header from being added to the response.
关于java - Devtool 拒绝在框架中显示 "My uri",因为它将 'X-Frame-Options' 设置为 'DENY',我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42000923/