How to disable 'X-Frame-Options' response header in Spring Security?
By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
For more information take a look here.
And here to check how you can configure the headers using either XML or Java configs.
Note, that you might need also to specify appropriate strategy, based on needs.
How does .headers().frameOptions().disable() work?
First, let's look at the X-Frame-Options response header.
This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>.
Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.
Spring Security sets the X-Frame-Options response header to DENY by default.
This tells the browser that the page cannot be displayed in a frame, regardless of the site attempting to do so.
Since the H2 console UI is using <frame> elements, these will not be rendered and you will see the error screen that you shared in your question.
Spring Security allows you to customise this behaviour using .headers().frameOptions() in the Security DSL.
If you choose to disable the X-Frame-Options header (not recommended) by setting .headers().frameOptions().disable(), then Spring Security will not add the X-Frame-Options header to the response.
This means your application could be rendered in a frame, and also could be vulnerable to Clickjacking attacks.
Instead of disabling it, it is sufficient to set X-Frame-Options to SAMEORIGIN, for this use case.
http
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.sameOrigin()
)
)
This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.
Since the frames in the H2 console UI (such as http://localhost:8080/h2-console/tables.do) are on the same origin as the the H2 console (http://localhost:8080/h2-console), the browser will allow them to be displayed.
However, if a different (potentially malicious) website tried to embed one the pages, the browser would not allow it.
Disable X-FrameOptions response header for a URL Spring Security JAVA config
You need to configure multiple HttpSecurity instances. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that match with **/course/embed/**. If matches X-Frame-Options will be SAMEORIGIN, otherwise DENY.
@EnableWebSecurity
public class WebMVCSecurity {
//Configure Authentication as normal, optional, showing just as a sample to indicate you can add other config like this
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
// Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// The http.antMatcher states that this HttpSecurity will only be applicable to URLs that match with **/course/embed/**
http.antMatcher("**/course/embed/**").headers().frameOptions().sameOrigin();
}
}
// Create another instance of WebSecurityConfigurerAdapter.
// If the URL does not match with **/course/embed/** this configuration will be used.
// This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
//bla bla bla ...
}
}
}
enable X-Frame-Options header in spring-boot application (without spring security)
You can create a custom filter and set header there:
public class XFrameFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpRequest,
HttpServletResponse httpResponse,
FilterChain filterChain) throws ServletException, IOException {
httpResponse.setHeader("X-FRAME-OPTIONS", "DENY");
filterChain.doFilter(httpRequest, httpResponse);
}
}
X-Frame Options Spring Boot
X-Frame-Options is an HTTP response header which is set by the server from which you are requesting the resource. It is used to indicate whether or not the browser should be allowed to render a page in an <frame> to avoid click-jacking attacks by ensuring that the content is not embedded into other sites.
Please see the MDN docs about it: X-Frame-Options.
So if a resource on youtube.com sets X-Frame-Options to DENY, then that resource is not allowed to render in an <frame>. If it is SAMEORIGIN, the resource can only be rendered in an <frame> on the same domain as the page itself. ALLOW-FROM uri is an obsolete directive that no longer works in modern browsers.
If you want to embed a youtube video in your site, just use the share feature and copy the HTML code into your site, it should work, here's an example.
Exception in Spring Boot when changing configuration of X-Frame-Options to ALLOW-FROM
The default order for a WebSecurityConfigurer adapter is 100 and you appear to have two in your application:
com.sampleapp.myapp.ecards.MyApplicationConfigurationcom.sampleapp.dep.dsp.core.autoconfigure.DsfCoreAutoConfiguration$DSFServerWebSecurityConfig
You should update one of them to be explicitly annotated with @Order, specifying a value other than 100. Given the limitations you've described, adding @Order to com.sampleapp.myapp.ecards.MyApplicationConfiguration seems to be more likely to be ok. Whether its order should be higher or lower will depend on the relationship between the the different parts of your security configuration and, if that configuration overlaps, which one you want to take precedence.
Related Topics
Extract Integer Part in String
Make Simpledateformat.Parse() Fail on Invalid Dates (E.G. Month Is Greater Than 12)
Sum All the Elements Java Arraylist
Java: How to Split a String by a Number of Characters
Enable Partial Compilation in Intellij Idea
Java 8 Chained Method Reference
How to Specify the Default Jvm Arguments for Programs I Run from Eclipse
How to Get the Array Class for a Given Class in Java
Set Specific Precision of a Bigdecimal
Why Should I Override Hashcode() When I Override Equals() Method
Understanding the etc/Gmt Time Zone
Find Out What Jvm Eclipse Is Running On
How to Add New Methods to the String Class in Java
Jackson Change JSONignore Dynamically
Getting Class Cast Exception Where Both Classes Are Exactly the Same
Java.Sql.Sqlexception: No Suitable Driver Found for Jdbc:Mysql://Localhost:3306/Dbname
Rethrowing an Exception: Why Does the Method Compile Without a Throws Clause