Allow Iframe for all domains while using Spring Security

Vaibhav picture Vaibhav · Dec 4, 2015 · Viewed 9k times · Source

I am using Spring Security. By default It doesn't allow a page to be loaded in iframe.

Spring Security set header X-Frame-Options value 'DENY'. I don't want this header to be include in my application.

Here is my configuration file.

package com.some.package.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import com.some.package.crm.enums.Role;
import com.some.package.security.AuthSuccessHandler;
import com.some.package.security.AuthenticationProvider;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    private AuthSuccessHandler authSuccessHandler;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);

    }
    @Bean
    public PasswordEncoder getPasswordEncoder(){
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

    @Override
    public void configure(WebSecurity webSecurity) throws Exception
    {
        webSecurity
            .ignoring()
                // All of Spring Security will ignore the requests
                .antMatchers("/resources/**", "/","/site/**","/affLinkCount", "/forgotPassword","/thirdPartyLogin", "/resetPassword", "/notifyCallbackToRecurring");

    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /*
         * Security Headers added by default
         *      Cache Control
         *      Content Type Options
         *      HTTP Strict Transport Security
         *      X-Frame-Options
         *      X-XSS-Protection 
         *  csrf added by default
         */

      http
        .authorizeRequests()
             .antMatchers("/crm/**").hasRole(Role.CUSTOMER.name())
             .antMatchers("/analyst/**").hasRole(Role.ANALYST.name())

             .anyRequest().authenticated() 

        .and()
        .formLogin()
             .loginPage("/login")
             .failureUrl("/login?failed=true")
             .successHandler(authSuccessHandler)
             .usernameParameter("username")
             .passwordParameter("password").loginProcessingUrl("/j_spring_security_check")
             .permitAll()
        .and()
             .sessionManagement().sessionFixation().newSession()
             .sessionAuthenticationErrorUrl("/login")
             .invalidSessionUrl("/login")
             .maximumSessions(1)
             .expiredUrl("/login").and()

        .and()
             .exceptionHandling().accessDeniedPage("/login")
        .and()
             .logout()
             .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
             .logoutSuccessUrl("/login")
             .permitAll();
       // .and().headers().frameOptions().disable();
       // addFilterAfter(new IFrameEnableFilter(), HeaderWriterFilter.class);
            //.headers().frameOptions().addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("localhost"))));
        //  .headers().addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("localhost"))));




    }

}

Answer

Rob Winch picture Rob Winch · Dec 4, 2015

If you are using Spring Security 4, then you can do this with something like:

http
    .headers()
        .frameOptions().disable()
        .and()
    // ...

You can find additional details in the 4.0.x reference.

In Spring Security 3.2.x things are a little different if you want to continue using the other HTTP headers. You need to do something like this:

http
    .headers()
        .contentTypeOptions();
        .xssProtection()
        .cacheControl()
        .httpStrictTransportSecurity()
        .frameOptions()
        .and()
    // ...

Additional details can be found in the 3.2.x reference.