SyntaxFix

[java] How to disable 'X-Frame-Options' response header in Spring Security?

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

This question is related to java spring spring-security spring-boot x-frame-options

The answer is

If using XML configuration you can use 

<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:security="http://www.springframework.org/schema/security"> 
<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>
</beans>

If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http) method:

http.headers().frameOptions().disable();

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties. In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties:

security.headers.frame=false

There is also security.headers.cache, security.headers.content-type, security.headers.hsts and security.headers.xss properties that you can use. For more information, take a look at SecurityProperties.

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

For older Spring Security versions:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

For newer versions like Spring Security 4.0.2:

http
   .headers()
      .frameOptions()
         .sameOrigin();

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().disable()
      ...;
  }
}

Source: Stackoverflow.com

Examples related to java

Under what circumstances can I call findViewById with an Options Menu / Action Bar item? How much should a function trust another function How to implement a simple scenario the OO way Two constructors How do I get some variable from another class in Java? this in equals method How to split a string in two and store it in a field How to do perspective fixing? String index out of range: 4 My eclipse won't open, i download the bundle pack it keeps saying error log

Examples related to spring

Are all Spring Framework Java Configuration injection examples buggy? Two Page Login with Spring Security 3.2.x Access blocked by CORS policy: Response to preflight request doesn't pass access control check Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured ApplicationContextException: Unable to start ServletWebServerApplicationContext due to missing ServletWebServerFactory bean Failed to auto-configure a DataSource: 'spring.datasource.url' is not specified Spring Data JPA findOne() change to Optional how to use this? After Spring Boot 2.0 migration: jdbcUrl is required with driverClassName The type WebMvcConfigurerAdapter is deprecated No converter found capable of converting from type to type

Examples related to spring-security

Two Page Login with Spring Security 3.2.x Spring 5.0.3 RequestRejectedException: The request was rejected because the URL was not normalized Unsupported Media Type in postman How Spring Security Filter Chain works Spring security CORS Filter How to configure CORS in a Spring Boot + Spring Security application? Failed to load ApplicationContext (with annotation) disabling spring security in spring boot app When to use Spring Security`s antMatcher()? How to manage exceptions thrown in filters in Spring?

Examples related to spring-boot

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Why am I getting Unknown error in line 1 of pom.xml? Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured How to resolve Unable to load authentication plugin 'caching_sha2_password' issue ApplicationContextException: Unable to start ServletWebServerApplicationContext due to missing ServletWebServerFactory bean Failed to auto-configure a DataSource: 'spring.datasource.url' is not specified After Spring Boot 2.0 migration: jdbcUrl is required with driverClassName ERROR Source option 1.5 is no longer supported. Use 1.6 or later How to start up spring-boot application via command line? JSON parse error: Can not construct instance of java.time.LocalDate: no String-argument constructor/factory method to deserialize from String value

Examples related to x-frame-options

How to disable 'X-Frame-Options' response header in Spring Security? How to set 'X-Frame-Options' on iframe? X-Frame-Options on apache X-Frame-Options: ALLOW-FROM in firefox and chrome Overcoming "Display forbidden by X-Frame-Options" How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Tags

C++-standard-library Inventory Federation Gwt2 Scrumboard Comparison Asciidoc Jsr199 Auto-responder Cgfloat Divide Schemaspy Datarepeater Env Android-networking Assembly-signing Zope Git-daemon Save-dialog Helios Public-key-encryption Topmost Continuous-forms Discrete-space Mysql-dependent-subquery Directsound Shebang Automatic-differentiation Page-layout Django-openid-auth Setstring Aspect-ratio Paypal-soap Vsewss Resttemplate N2 Office-2010 Methodinfo Avcapturesession Ajax-upload Cellular-network Httpcfg.exe Iron Crash-log Eeprom Webgrid Shunting-yard Commutativity Endpoints Facescontext Method-signature Copy-on-write Dynamic-url Notice Static-html Scalar Documentation-generation Elasticlayout Algebra Php Haskell-platform Reactive-extensions-js Xpathdocument Nsfetchedresultscontroller Networkx Eclipse-pdt Framemaker Openframeworks Sccm Child-process Eoferror Onunload Libpcap Preemptive Webui Linq-to-xml Osworkflow Register-allocation Soappy Json Elliptic-curve Ctags Snmp Wordpress-geo-mashup Variadic In-clause Icon-language Ora-00934 Loadmodule Zend-server-ce Config-files Try-catch-finally Scalaquery Custom-eventlog Remote-registry Eeepc Findcontrol F# Storyboard Cmyk