使用SpringSecurity4引发的问题:Refused to display 'http://localhost:8080/xx in a frame because it set 'X-Fr

再将Spring Security3升级到Spring Security4后发现访问网页子窗口的时候在火狐的firebug中发现一个问题:

Refused to display 'http://localhost:8080/xxx' in a frame because it set 'X-Frame-Options' to 'DENY'.

网上查询说是跨域问题;


问题就简单化了,

Spring Security4默认是将'X-Frame-Options' 设置为 'DENY'

所以重新配置下SpringSecurity,

标签内添加配置:


            

再次访问网站就不会出现这个问题了;

下面是一些其他配置:

  • DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
  • ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

需要更加详细的信息可以参考:http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/appendix-namespace.html#nsa-frame-options




你可能感兴趣的:(SpringSecurity)