spring Security下,X-Frame-Options默認為DENY,非Spring Security環境下,X-Frame-Options的默認大多也是DENY,這種情況下,瀏覽器拒絕當前頁面加載任何Frame頁面,設置含義如下:
DENY:瀏覽器拒絕當前頁面加載任何Frame頁面
SAMEORIGIN:frame頁面的地址只能為同源域名下的頁面
ALLOW-FROM:origin為允許frame加載的頁面地址。
在tomcat8以后的版本中,可以通過在web.xml中定義filter設置X-Frame-Options,如下:
- <filter>
- <filter-name>httpHeaderSecurity</filter-name>
- <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
- <init-param>
- <param-name>antiClickJackingOption</param-name>
- <param-value>SAMEORIGIN</param-value>
- </init-param>
- <async-supported>true</async-supported>
- </filter>
- <filter-mapping>
- <filter-name>httpHeaderSecurity</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
方法二:
<security:http auto-config="true" use-expressions="true">
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<http use-expressions="true" auto-config="true">
<form-login login-page="/login.do" always-use-default-target="false" />
<logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.do"/>
<!-- 免登錄驗證,當session還在,防問是會自己登錄 -->
<remember-me/>
<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter"/>
<access-denied-handler ref="accessDeniedHandler"/>
<!-- 4.0以后默認打開csrf,不允許post,設置為不打開 -->
<csrf disabled="true"/>
<!-- 4.0以后X-Frame-Options的默認大多也是DENY,這種情況下,瀏覽器拒絕當前頁面加載任何Frame頁面 -->
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>