我正在尝试在我的Spring Boot项目中使用Spring Security禁用或将XFrameOptions标头设置为SAME_ORIGIN,仅针对特定的URL。下面是代码:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestMatcher matcher = new AntPathRequestMatcher("**/course/embed/**");
DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter());
http.headers()
.frameOptions().sameOrigin()
.addHeaderWriter(headerWriter);
}
}
我正在使用AntRequestMatcher,但它不起作用,相反它会禁用所有响应的XFrameOptions头。有更好的方法吗?请帮忙。