Description
Rossen Stoyanchev (Migrated from SEC-2501) said:
Customizing the X-Frame-Options mode used by default in the Java config is not an unlikely customization. For example the SockJS protocol has two iframe based protocols, which are actually the main choice when running in IE 8, 9. Both transports fail with Spring Security's Java config out of the box.
A customization like this is possible:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().addHeaderWriter(
new XFrameOptionsHeaderWriter(
XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.and()
...
}
}It would be nice to get a simpler syntax for this customization.
The second challenge is in customizing the X-Frame-Options value via .headers(), I've actually disabled all other security. This is actually not obvious and there is also no convenient recourse. I suppose I could re-enable all of them but I would have to keep checking with every new Spring Security release if there are others. It would be much better if I could customize the X-Frame-Options header only.