今天遇到了iframe模式上传图片或者iframe嵌套页面时，会报如下异常信息：“Refused to display in a frame because it set 'X-Frame-Options' to 'DENY' 这个问题找了好久资料，好多种解决方法：

一、

response.setHeader("X-Frame-Options", "SAMEORIGIN");// 解决IFrame拒绝的问题

二、tomcat的配置文件web.xml下添加filter

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

上面这两种方法好像都不管用！

三、

<security:http auto-config="true" use-expressions="true">
    <security:headers>
        <security:frame-options policy="SAMEORIGIN"/>
    </security:headers>

 四、写一个类继承WebSecurityConfigurerAdapter，设置参数

package cn.wzz.web;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) //开启security注解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Bean
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    	// 关掉csrf的功能
    	http.csrf().disable();
    	// 跨域的问题
    	http.headers().frameOptions().disable();
    	
//        http.authorizeRequests()
        		//允许所有用户访问"/"和"/uploadFile"
//                .antMatchers("/uploadFile").permitAll()
                //其他地址的访问均需验证权限
//                .anyRequest().authenticated()
//                .and()
//                .formLogin()
//                .loginPage("/login")  //指定登录页是"/login"
//                .defaultSuccessUrl("/list")  //登录成功后默认跳转到"list"
//                .permitAll()
//                .and()
//                .logout()
//                .logoutSuccessUrl("/home")  //退出登录后的默认url是"/home"
//                .permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        //解决静态资源被拦截的问题
        web.ignoring().antMatchers("/static/**");
    }
}  

这其实也是跨域问题的一种，介绍跨域问题的文章有两篇不错的   ==》

一个是思否上的：《不要再问我跨域的问题了》

一个是：《跨域问题出现原因和解决方案》