I made an embed page with Spring-boot. The one to show from other sites with iframe. At this time, Spring Security was introduced and the HTTP header "X-Frame-Options" was set to DENY by default, and the embedded page was not displayed.
Since this X-Frame-Options itself should be DENY in order to suppress clickjacking on ordinary pages, I decided that it is better to set not to send this header only on the embedding page. However, "setting X-Frame-Options only for a specific URL" was a little complicated, so I summarized it.
I think that other HTTP Headers can be set for each URL if necessary (unverified).
| Target URL | X-Frame-Options |
|---|---|
| example.com/contents/embed/** | Do not send the header itself |
| Other than the above URL | DENY (default) |
People with the same worries are on Stack overflow. So, this time I referred to this.
Disable X-FrameOptions response header for a URL Spring Security JAVA config https://stackoverflow.com/questions/42257402/disable-x-frameoptions-response-header-for-a-url-spring-security-java-config
If you set it with the same "configure (HttpSecurity http)", all URLs will be affected. It seems that the key is to prepare multiple extended WebSecurityConfigurerAdapters.
@EnableWebSecurity
public class WebMVCSecurity {
//Make settings for authentication. option. This is just a sample, X-Frame-It does not affect Options, so you can change it.
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
//This is the most important.
//Create an instance of WebSecurityConfigurerAdapter.@Set the reading order with the Order annotation.
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// 「"/contents/embed/**"Specify the URL you want to apply.
//This time I wanted to set no header, so ".headers().frameOptions().disable()".
// 「.headers().frameOptions().sameOrigin()There are also settings such as ", so please check it out.
http.antMatcher("/contents/embed/**").headers().frameOptions().disable();
}
}
//Create another instance of WebSecurityConfigurerAdapter.
// 「"/contents/embed/**"The settings here are applied to URLs that do not correspond to.
// @If you do not add the Order annotation, other@It is said that it will be loaded after Order.
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
//etc. Please set according to the project.
}
}
}
that's all.