Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2501

Provide a simpler way to customize X-Frame-Options mode used by default in the Java config

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Duplicate
    • 3.2.0
    • None
    • Java Config
    • None

    Description

      Customizing the X-Frame-Options mode used by default in the Java config is not an unlikely customization. For example the SockJS protocol has two iframe based protocols, which are actually the main choice when running in IE 8, 9. Both transports fail with Spring Security's Java config out of the box.

      A customization like this is possible:

      @EnableWebSecurity
      public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      
        @Override
        protected void configure(HttpSecurity http) throws Exception {
          http
            .headers().addHeaderWriter(
              new XFrameOptionsHeaderWriter(
                  XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
              .and()
      
          ...
      
        }
      }
      

      It would be nice to get a simpler syntax for this customization.

      The second challenge is in customizing the X-Frame-Options value via .headers(), I've actually disabled all other security. This is actually not obvious and there is also no convenient recourse. I suppose I could re-enable all of them but I would have to keep checking with every new Spring Security release if there are others. It would be much better if I could customize the X-Frame-Options header only.

      Attachments

        Issue Links

          Activity

            People

              rwinch Rob Winch
              rstoya05-aop Rossen Stoyanchev
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0.5d
                  0.5d
                  Remaining:
                  Remaining Estimate - 0.5d
                  0.5d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified