今天遇到了iframe模式上传图片或者iframe嵌套页面时,会报如下异常信息:“Refused to display in a frame because it set 'X-Frame-Options' to 'DENY' 这个问题找了好久资料,好多种解决方法:
一、
response.setHeader("X-Frame-Options", "SAMEORIGIN");// 解决IFrame拒绝的问题
二、tomcat的配置文件web.xml下添加filter
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
上面这两种方法好像都不管用!
三、
<security:http auto-config="true" use-expressions="true">
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
四、写一个类继承WebSecurityConfigurerAdapter,设置参数
package cn.wzz.web;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) //开启security注解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 关掉csrf的功能
http.csrf().disable();
// 跨域的问题
http.headers().frameOptions().disable();
// http.authorizeRequests()
//允许所有用户访问"/"和"/uploadFile"
// .antMatchers("/uploadFile").permitAll()
//其他地址的访问均需验证权限
// .anyRequest().authenticated()
// .and()
// .formLogin()
// .loginPage("/login") //指定登录页是"/login"
// .defaultSuccessUrl("/list") //登录成功后默认跳转到"list"
// .permitAll()
// .and()
// .logout()
// .logoutSuccessUrl("/home") //退出登录后的默认url是"/home"
// .permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
//解决静态资源被拦截的问题
web.ignoring().antMatchers("/static/**");
}
}
这其实也是跨域问题的一种,介绍跨域问题的文章有两篇不错的 ==》
一个是思否上的:《不要再问我跨域的问题了》
一个是:《跨域问题出现原因和解决方案》