使用SpringSecurity4引起的問題:Refused to display 'http://localhost:8080/xx in a frame because it set 'X-Fr

再將Spring Security3升級到Spring Security4後發現訪問網頁子窗口的時候在火狐的firebug中發現一個問題:

Refused to display 'http://localhost:8080/xxx' in a frame because it set 'X-Frame-Options' to 'DENY'.

網上查詢說是跨域問題;

 

問題就簡單化了,

Spring Security4默認是將'X-Frame-Options' 設置爲 'DENY'

因此從新配置下SpringSecurity,

在<http>標籤內添加配置:

<headers>
            <frame-options policy="SAMEORIGIN" />
</headers>

再次訪問網站就不會出現這個問題了;

下面是一些其餘配置:

 

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

參考：http://blog.csdn.net/wenj91/article/details/50837457