使用iframe嵌入网页,浏览器报错:Refused to display ‘url‘ in a frame because it set ‘X-Frame-Options‘ to ‘deny‘。 这是SpringSecurity 防止恶意注入,所以设置了 X-Frame-Options 为deny,网上看到是 加
使用iframe嵌入网页,浏览器报错:Refused to display ‘url‘ in a frame because it set ‘X-Frame-Options‘ to ‘deny‘。
这是SpringSecurity 防止恶意注入,所以设置了 X-Frame-Options 为deny,网上看到是 加入 httpSecurity.headers().frameOptions().disable();
如:https://blog.csdn.net/a494567309/article/details/80348557
但是我是在 spring-security.xml 配置,所以不用这种,在spring-security.xml 添加<security:headers disabled="true"/>
整个 spring-security.xml配置如下
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 配置不拦截的资源 --> <security:http pattern="/login.jsp" security="none"/> <security:http pattern="/css/**" security="none"/> <security:http pattern="/img/**" security="none"/> <security:http pattern="/js/**" security="none"/> <security:http pattern="/plugins/**" security="none"/> <!-- 配置具体的规则 auto-config="true" 不用自己编写登录的页面,框架提供默认登录页面 use-expressions="false" 是否使用SPEL表达式 --> <security:http auto-config="true" use-expressions="true"> <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER或者ROLE_ADMIN的角色" --> <security:intercept-url pattern="/**" access="hasAnyRole(‘ROLE_USER‘,‘ROLE_ADMIN‘)"/> <!-- 定义跳转的具体的页面 --> <security:form-login login-page="/login.jsp" login-processing-url="/login.do" default-target-url="/index.jsp" authentication-failure-handler-ref="authenticationFailureHandler" authentication-success-handler-ref="authenticationSuccessHandler" /> <!-- 关闭跨域请求 --> <security:csrf disabled="true"/> <!-- 退出 --> <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"/> <!-- Refused to display ‘url‘ in a frame because it set ‘X-Frame-Options‘ to ‘deny‘. 如果用iframe提示这个,设置为true--> <security:headers disabled="true"/> </security:http> <!-- 切换成数据库中的用户名和密码 --> <security:authentication-manager> <security:authentication-provider ref="authenticationProvider"/> </security:authentication-manager> <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="managerService" /> <!-- 是否隐藏用户没有找到的异常,默认为true ; 这里返回用户不存在 --> <property name="hideUserNotFoundExceptions" value="false" /> <!-- 配置加密的方式--> <property name="passwordEncoder" ref="passwordEncoder" /> </bean> <!-- 配置加密类 --> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="authenticationFailureHandler" class="com.handler.AuthenticationFailureHandler"/> <bean id="authenticationSuccessHandler" class="com.handler.AuthenticationSuccessHandler"/> </beans>
重启就行了