SpringSecurity使用iframe

概述

配置

解决无法使用 iframe

在自定义的继承 WebSecurityConfigurerAdapter 的配置类中，重写参数类型是 HttpSecurity 的方法 configure 中：http.headers().frameOptions().sameOrigin();

package com.ccsoft.dbmbili.configuration;

import com.ccsoft.dbmbili.service.impl.UserDetailServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.AccessDeniedHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
* @author chanchaw
* @create 2022-09-07 16:34
*/
@Configuration
    @EnableWebSecurity
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Autowired
        private UserDetailServiceImpl userDetailService;
        // 认证 - 登录
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailService).passwordEncoder(new MyPasswordEncoder());
        }

        // 鉴权 - 权限
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                .and().formLogin().loginPage("/login").permitAll()
                .and().logout().permitAll()
                .and().csrf()
                .disable();

            http.exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {
                @Override
                public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
                    // 登录失败则设置请求属性 authError = true
                    httpServletRequest.setAttribute("authError",true);
                    // 登录失败则跳转到登录页面
                    httpServletRequest.getRequestDispatcher(httpServletRequest.getContextPath() + "/login").forward(httpServletRequest,httpServletResponse);
                }
            });

            // 允许使用 iframe
            http.headers().frameOptions().sameOrigin();
        }
    }