CODEWITHSUNDEEP
javaservlets
Jeets
Jeets

Reputation: 3367

Not able to set X-Frame option in servlet response from Spring controller

I am trying to open a PDF in embed tag. THe pdf is rendered from servlet thus:

            response.setContentType("application/pdf"); 
            response.setHeader("Content-Disposition", "inline; filename=\"" + pab.getPdfName() + "\"");
            response.setHeader("X-Frame-Options", "ALLOW");
            response.setContentLength((int) pdfFile.length());
            fileInputStream = new FileInputStream(pdfFile);
            responseOutputStream = response.getOutputStream();
            int bytes;
            while ((bytes = fileInputStream.read()) != -1) {
                responseOutputStream.write(bytes);
            }

However even after setting the x-frame-option to allow as shown above I still get the error:

Multiple 'X-Frame-Options' headers with conflicting values ('ALLOW, DENY') encountered when loading 'http://localhost:8082/b2bNext/viewPdf'. Falling back to 'DENY'.

I am using spring 4.X Can anybody suggest how can i get over it and display the pdf.Thanks in advance.

Upvotes: 1

Views: 2491

Answers (4)

Pat
Pat

Reputation: 21

Setting these headers to my response worked for me.

response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", " frame-ancestors 'self'");

Reference: https://infosec.mozilla.org/guidelines/web_security#x-frame-options

Upvotes: 1

S. Doe
S. Doe

Reputation: 785

You can also do this in Java code in your implementation of WebSecurityConfigurerAdapter:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        [... your stuff ...]
        .and().headers().frameOptions().sameOrigin();
}

Upvotes: 0

TheKojuEffect
TheKojuEffect

Reputation: 21081

This seems to be a bug with spring-security. https://github.com/spring-projects/spring-security/issues/5193

Workarounds:

JavaConfig: https://github.com/spring-projects/spring-security/issues/2953#issue-131777949

XmlConfig: https://github.com/spring-projects/spring-security/issues/2953#issuecomment-335443527

Using Content-Security-Policy instead of X-Frame-Options: response.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); can be used instead of X-Frame-Options.

Upvotes: 0

Jeets
Jeets

Reputation: 3367

Fixed by adding the frame options in context security file. 

  <http auto-config="true"  use-expressions="true">
            <intercept-url pattern="/rateWebService" access="hasRole('ROLE_ADMIN')" />
            <intercept-url pattern="/**" access="permitAll" />
            <form-login login-page="/loginA2B" login-processing-url="/j_spring_security_check"  default-target-url="/rateWebService" authentication-failure-url="/loginA2B?valid=false" />
            <logout logout-url="/j_spring_security_logout" logout-success-url="/logout"  />
            <csrf disabled="true"/>
    <headers>
            <frame-options policy="SAMEORIGIN"/>
    </headers>
  </http>

Upvotes: 1

Related Questions