英文:
Spring Security Anotation @EnableWebSecurity does not works in Spring MVC project
问题
我必须在我的Spring MVC项目中启用X-Frame-Options: SAMEORIGIN,以将此参数返回到HTTP响应头中。项目部署在Apache Tomcat 9上。
以下是我的Web安全配置:
@EnableWebSecurity@Configurationpublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.headers().frameOptions().sameOrigin();}}
这是我如何初始化Dispatcher Servlet:
public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{AppConfig.class, WebSecurityConfig.class};}@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}@Overrideprotected String[] getServletMappings() {return new String[]{"/"};}}
在Spring安全文档(https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers)中提到:
Spring Security提供了一组默认的与安全相关的HTTP响应头,以提供安全的默认值。
但是,我在响应头中看不到任何安全头,似乎我的项目中未启用Spring Security。
如果我在@Controller类的方法中手动添加头选项,它可以工作:
@Controllerpublic class WController {@GetMapping("/hello")public String sayHello(HttpServletResponse response, Model model) {response.setHeader("X-Frame-Options", "SAMEORIGIN");return "htmlPageTemplate";}}
请检查,我做错了什么。如何修复并正确启用Web安全?
英文:
I have to enable X-Frame-Options: SAMEORIGIN in my spring MVC project, to return this param in to http response header.
Project is deployed on Apache Tomcat 9.
here is my web security configuration
@EnableWebSecurity@Configurationpublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.headers().frameOptions().sameOrigin();}}
This is how I initialize dispatcher servlet
public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{AppConfig.class, WebSecurityConfig.class};}@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}@Overrideprotected String[] getServletMappings() {return new String[]{"/"};}}
In spring security documentation (https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers) it's mentioned that
> Spring Security provides a default set of security related HTTP
> response headers to provide secure defaults.
But, I can't see any security header in Response Header, it seems that spring security is not enabled in my project.
If I add header option manually in to @Controller class method it works
@Controllerpublic class WController {@GetMapping("/hello")public String sayHello(HttpServletResponse response, Model model) {response.setHeader("X-Frame-Options", "SAMEORIGIN");return "htmlPageTemplate";}}
Please check, What I made wrong.
How to fix and enable web security properly?
答案1
得分: 0
我错过了 filter,只是添加了一个新类来扩展 AbstractSecurityWebApplicationInitializer,然后问题就解决了。
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
英文:
I missed filter, just added new class to extend AbstractSecurityWebApplicationInitializer, and it fixed the problem.
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
专注分享java语言的经验与见解,让所有开发者获益!
评论