X-Frame DENY in Spring security

Question

I'm using jquery download plugin in my spring project but browser give me the following error:

Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.

I read is a problem about Xframe in spring security so I have added

http
    .headers()
      .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

but it doesn't change DENY but add even SAMEORIGIN so I have he following error:

Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.

and this is the http request:

this is my spring configuration:

@Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
            .antMatcher("/client/**")
            .authorizeRequests()
            //Exclude send file from authentication because it doesn't work with spring authentication
            .antMatchers(HttpMethod.POST, "/client/file").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Autowired
        RoleServices roleServices;

        @Override
        public void configure(WebSecurity web) throws Exception {
            web
            //Spring Security ignores request to static resources such as CSS or JS files.
            .ignoring()
            .antMatchers("/static/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {         
            List<Role> roles=roleServices.getRoles();
            //Retrieve array of roles(only string field without id)
            String[] rolesArray = new String[roles.size()];
            int i=0;
            for (Role role:roles){
                rolesArray[i++] = role.getRole();
            }

            http
            .headers()
               .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
               .and()
            .authorizeRequests() //Authorize Request Configuration
            .anyRequest().hasAnyRole(rolesArray)//.authenticated()
            .and() //Login Form configuration for all others
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .exceptionHandling().accessDeniedPage("/403")
            .and()
            .logout()
            .logoutSuccessUrl("/login?logout")
            .permitAll();

        }
    }

How can I fix this problem?Thanks (the download works fine despite the error)

score 3 · Answer 1 · answered Oct 08 '19 at 20:43

You can do it in your spring security config file like this:

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Also you can do it with java configuration in this way:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().sameOrigin();
    }
}

For older spring versions use:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

Instead of:

http.headers().frameOptions().sameOrigin();

Finally., these are the available options:

DENY: Does not allow any domain to display this page within a frame.

SAMEORIGIN: Allows the current page to be displayed in a frame on another page, but only within the current domain.

ALLOW-FROM: Allows the current page to be displayed in a frame, but only in a specific URI. For example www.example.com/frame-page

score 0 · Answer 2 · answered Feb 13 '17 at 15:05

0

try

 http
        .headers()
        .frameOptions()
        .sameOrigin();

answered Feb 13 '17 at 15:05

Mix

459
1
7
20

could you provide us more details related with your code.? Thank you – Robert Feb 13 '17 at 21:09
@Robert I have answer the question with more details, just in case. – John Alexander Betts Oct 08 '19 at 20:45

X-Frame DENY in Spring security

2 Answers2

Linked