英文:
Spring Security Anotation @EnableWebSecurity does not works in Spring MVC project
问题
我必须在我的Spring MVC项目中启用X-Frame-Options: SAMEORIGIN,以将此参数返回到HTTP响应头中。项目部署在Apache Tomcat 9上。
以下是我的Web安全配置:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin();
}
}
这是我如何初始化Dispatcher Servlet:
public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{AppConfig.class, WebSecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{WebConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
在Spring安全文档(https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers)中提到:
Spring Security提供了一组默认的与安全相关的HTTP响应头,以提供安全的默认值。
但是,我在响应头中看不到任何安全头,似乎我的项目中未启用Spring Security。
如果我在@Controller类的方法中手动添加头选项,它可以工作:
@Controller
public class WController {
@GetMapping("/hello")
public String sayHello(HttpServletResponse response, Model model) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
return "htmlPageTemplate";
}
}
请检查,我做错了什么。如何修复并正确启用Web安全?
英文:
I have to enable X-Frame-Options: SAMEORIGIN in my spring MVC project, to return this param in to http response header.
Project is deployed on Apache Tomcat 9.
here is my web security configuration
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin();
}
}
This is how I initialize dispatcher servlet
public class DispatcherServletInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{AppConfig.class, WebSecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{WebConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
In spring security documentation (https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#headers) it's mentioned that
> Spring Security provides a default set of security related HTTP
> response headers to provide secure defaults.
But, I can't see any security header in Response Header, it seems that spring security is not enabled in my project.
If I add header option manually in to @Controller class method it works
@Controller
public class WController {
@GetMapping("/hello")
public String sayHello(HttpServletResponse response, Model model) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
return "htmlPageTemplate";
}
}
Please check, What I made wrong.
How to fix and enable web security properly?
答案1
得分: 0
我错过了 filter,只是添加了一个新类来扩展 AbstractSecurityWebApplicationInitializer,然后问题就解决了。
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
英文:
I missed filter, just added new class to extend AbstractSecurityWebApplicationInitializer, and it fixed the problem.
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论