春季安全注释@EnableWebSecurity在Spring MVC项目中不起作用。

huangapple go评论82阅读模式
英文:

Spring Security Anotation @EnableWebSecurity does not works in Spring MVC project

问题

我必须在我的Spring MVC项目中启用X-Frame-Options: SAMEORIGIN,以将此参数返回到HTTP响应头中。项目部署在Apache Tomcat 9上。

以下是我的Web安全配置:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().sameOrigin();
    }
}

这是我如何初始化Dispatcher Servlet:

public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[]{AppConfig.class, WebSecurityConfig.class};
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[]{WebConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        return new String[]{"/"};
    }
}

在Spring安全文档(https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers)中提到:

Spring Security提供了一组默认的与安全相关的HTTP响应头,以提供安全的默认值。

但是,我在响应头中看不到任何安全头,似乎我的项目中未启用Spring Security。

如果我在@Controller类的方法中手动添加头选项,它可以工作:

@Controller
public class WController {
    @GetMapping("/hello")
    public String sayHello(HttpServletResponse response, Model model) {
        response.setHeader("X-Frame-Options", "SAMEORIGIN");
        return "htmlPageTemplate";
    }
}

请检查,我做错了什么。如何修复并正确启用Web安全?

英文:

I have to enable X-Frame-Options: SAMEORIGIN in my spring MVC project, to return this param in to http response header.
Project is deployed on Apache Tomcat 9.

here is my web security configuration

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().sameOrigin();
    }
}

This is how I initialize dispatcher servlet

public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
    @Override
    protected Class&lt;?&gt;[] getRootConfigClasses() {
        return new Class[]{AppConfig.class, WebSecurityConfig.class};
    }

    @Override
    protected Class&lt;?&gt;[] getServletConfigClasses() {
        return new Class[]{WebConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        return new String[]{&quot;/&quot;};
    }
}

In spring security documentation (https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers) it's mentioned that

> Spring Security provides a default set of security related HTTP
> response headers to provide secure defaults.

But, I can't see any security header in Response Header, it seems that spring security is not enabled in my project.

春季安全注释@EnableWebSecurity在Spring MVC项目中不起作用。

If I add header option manually in to @Controller class method it works

@Controller
public class WController {
    @GetMapping(&quot;/hello&quot;)
    public String sayHello(HttpServletResponse response, Model model) {
        response.setHeader(&quot;X-Frame-Options&quot;, &quot;SAMEORIGIN&quot;);
        return &quot;htmlPageTemplate&quot;;
    }
}

春季安全注释@EnableWebSecurity在Spring MVC项目中不起作用。

Please check, What I made wrong.
How to fix and enable web security properly?

答案1

得分: 0

我错过了 filter,只是添加了一个新类来扩展 AbstractSecurityWebApplicationInitializer,然后问题就解决了。

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

}
英文:

I missed filter, just added new class to extend AbstractSecurityWebApplicationInitializer, and it fixed the problem.

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

}

huangapple
  • 本文由 发表于 2020年4月8日 16:55:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/61096883.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定