再将Spring Security3升级到Spring Security4后发现访问网页子窗口的时候在火狐的firebug中发现一个问题:
Refused to display 'http://localhost:8080/xxx' in a frame because it set 'X-Frame-Options' to 'DENY'.
网上查询说是跨域问题;
问题就简单化了,
Spring Security4默认是将'X-Frame-Options' 设置为 'DENY'
所以重新配置下SpringSecurity,
在<http>标签内添加配置:
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
再次访问网站就不会出现这个问题了;
下面是一些其他配置:
-
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
参考:http://blog.csdn.net/wenj91/article/details/50837457