Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
543 views
in Technique[技术] by (71.8m points)

spring security - How does .headers().frameOptions().disable() work?

About Spring Security to let, control and get access to the h2 web console

I read these two posts:

In conclusion is mandatory use the following ("improved" in someway):

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .mvcMatchers("/admin/**").hasRole("ADMIN")
            ...
            .mvcMatchers("/h2-console/**").hasRole("ADMIN")
            .and()
        .csrf().ignoringAntMatchers("/h2-console/**")
            .and()
        .headers().frameOptions().disable()
            .and()

From above is better use .csrf().ignoringAntMatchers("/h2-console/**") instead of csrf().disable() it for security reasons because the disable point applies only to /h2-console/, the latter is global and is not recommended.

Until here I am fine. And I am able to see the H2 web console once the login process happened and the user has the required role.

enter image description here

Now is mandatory use .headers().frameOptions().disable(), if is not used happens the following:

enter image description here

The localhost refused to connect message appears to any inner block when the mouse's cursor is over any of them

My doubts are:

  1. How does .headers().frameOptions().disable() work?
  2. Is safe to use that sentence for Production Environment? Consider the difference between .csrf().ignoringAntMatchers("/h2-console/**") and csrf().disable(), where the former is specific and the latter is "global" (and is not recommended). Therefore perhaps would be available a specific configuration much better than .headers().frameOptions().disable() (at a first glance for me is a "global" configuration) to only apply to /h2-console/
  3. Could .headers().frameOptions().disable() have any negative effect, directly or indirectly, for other configure(HttpSecurity http) configuration? (Mostly for Production)
question from:https://stackoverflow.com/questions/65894268/how-does-headers-frameoptions-disable-work

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

First, let's look at the X-Frame-Options response header.
This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>.
Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

Spring Security sets the X-Frame-Options response header to DENY by default.
This tells the browser that the page cannot be displayed in a frame, regardless of the site attempting to do so.
Since the H2 console UI is using <frame> elements, these will not be rendered and you will see the error screen that you shared in your question.

Spring Security allows you to customise this behaviour using .headers().frameOptions() in the Security DSL.
If you choose to disable the X-Frame-Options header (not recommended) by setting .headers().frameOptions().disable(), then Spring Security will not add the X-Frame-Options header to the response.
This means your application could be rendered in a frame, and also could be vulnerable to Clickjacking attacks.

Instead of disabling it, it is sufficient to set X-Frame-Options to SAMEORIGIN, for this use case.

http
    .headers(headers -> headers
        .frameOptions(frameOptions -> frameOptions
            .sameOrigin()
        )
    )

This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.

Since the frames in the H2 console UI (such as http://localhost:8080/h2-console/tables.do) are on the same origin as the the H2 console (http://localhost:8080/h2-console), the browser will allow them to be displayed.

However, if a different (potentially malicious) website tried to embed one the pages, the browser would not allow it.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...