Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

使用iframe嵌入網頁，瀏覽器報錯：Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'。
這是SpringSecurity 防止惡意注入，所以設置了 X-Frame-Options 為deny，網上看到是 加入 httpSecurity.headers().frameOptions().disable();

如：https://blog.csdn.net/a494567309/article/details/80348557

但是我是在 spring-security.xml 配置，所以不用這種，在spring-security.xml 添加<security:headers disabled="true"/>

整個 spring-security.xml配置如下

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- 配置不攔截的資源 -->
    <security:http pattern="/login.jsp" security="none"/>
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    <!--
    	配置具體的規則
    	auto-config="true"	不用自己編寫登錄的頁面，框架提供默認登錄頁面
    	use-expressions="false"	是否使用SPEL表達式
    -->
    <security:http auto-config="true" use-expressions="true">
        <!-- 配置具體的攔截的規則 pattern="請求路徑的規則" access="訪問系統的人，必須有ROLE_USER或者ROLE_ADMIN的角色" -->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>

        <!-- 定義跳轉的具體的頁面 -->
        <security:form-login
                login-page="/login.jsp"
                login-processing-url="/login.do"
                default-target-url="/index.jsp"
                authentication-failure-handler-ref="authenticationFailureHandler"
                authentication-success-handler-ref="authenticationSuccessHandler"
        />

        <!-- 關閉跨域請求 -->
        <security:csrf disabled="true"/>
        <!-- 退出 -->
        <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"/>

        <!-- Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'. 如果用iframe提示這個，設置為true-->
        <security:headers disabled="true"/>
    </security:http>

    <!-- 切換成數據庫中的用戶名和密碼 -->
    <security:authentication-manager>
        <security:authentication-provider ref="authenticationProvider"/>
    </security:authentication-manager>

    <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="managerService" />
        <!-- 是否隱藏用戶沒有找到的異常,默認為true ; 這里返回用戶不存在 -->
        <property name="hideUserNotFoundExceptions" value="false" />
        <!-- 配置加密的方式-->
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>

    <!-- 配置加密類 -->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <bean id="authenticationFailureHandler" class="com.handler.AuthenticationFailureHandler"/>
    <bean id="authenticationSuccessHandler" class="com.handler.AuthenticationSuccessHandler"/>
</beans>

 

重啟就行了