Spring 安全中的 X-Frame DENY

Question

我在 spring 项目中使用jquery 下载插件，但浏览器给我以下错误：

Refused to display 'http://localhost:8086/DART/fleetAndCar/download/5' in a frame because it set 'X-Frame-Options' to 'DENY'.

我读到的是 Spring Security 中关于 Xframe 的问题，所以我添加了

http
    .headers()
      .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

但它不会改变拒绝但甚至添加 SAMEORIGIN 所以我有他以下错误：

Multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN') encountered when loading 'http://localhost:8086/DART/fleetAndCar/download/5'. Falling back to 'DENY'.

这是http请求：

这是我的弹簧配置：

@Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
            .antMatcher("/client/**")
            .authorizeRequests()
            //Exclude send file from authentication because it doesn't work with spring authentication
            .antMatchers(HttpMethod.POST, "/client/file").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Autowired
        RoleServices roleServices;

        @Override
        public void configure(WebSecurity web) throws Exception {
            web
            //Spring Security ignores request to static resources such as CSS or JS files.
            .ignoring()
            .antMatchers("/static/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {         
            List<Role> roles=roleServices.getRoles();
            //Retrieve array of roles(only string field without id)
            String[] rolesArray = new String[roles.size()];
            int i=0;
            for (Role role:roles){
                rolesArray[i++] = role.getRole();
            }

            http
            .headers()
               .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
               .and()
            .authorizeRequests() //Authorize Request Configuration
            .anyRequest().hasAnyRole(rolesArray)//.authenticated()
            .and() //Login Form configuration for all others
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .exceptionHandling().accessDeniedPage("/403")
            .and()
            .logout()
            .logoutSuccessUrl("/login?logout")
            .permitAll();

        }
    }

我该如何解决这个问题？谢谢（尽管出现错误，但下载工作正常）

Answer 1

尝试

 http
        .headers()
        .frameOptions()
        .sameOrigin();