Reputation: 3881
Exception in Spring Boot when changing configuration of X-Frame-Options to ALLOW-FROM
I've been working for a while in a project that uses Spring Boot and now, as a requirement, I'm using some html files that I will need to render, one of them uses an iframe to display the information of another web page (from another business unit of the same company but in a different domain).
So far, what I did in the SpringConfiguration is the following:
@EnableWebSecurity
@Configuration
public class MyApplicationConfiguration extends WebSecurityConfigurerAdapter {
@Value("${company.domain}")
private String companyDomain;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable().addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(URI.create(this.companyDomain))));
}
}
It should work fine according to what I checked on the Internet and forums, but it is failing mentioning the following:
Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Injection of autowired dependencies failed; nested exception is java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique. Order of 100 was already used on com.sampleapp.myapp.ecards.MyApplicationConfiguration$$EnhancerBySpringCGLIB$$24364a75@13ecedf6, so it cannot be used on com.sampleapp.dep.dsp.core.autoconfigure.DsfCoreAutoConfiguration$DSFServerWebSecurityConfig$$EnhancerBySpringCGLIB$$a540fd8@7ec416a0 too.
Just to mention, I see that the solution would be to remove the @Order annotation in the context of my project, but I do not have any @Order annotation in my project. Additionally, the projects in this company are created using some pre-defined maven archetypes that will create a custom folder structure for all the Software components as well as the creation of the pom.xml with all the required dependencies (using those dependencies is a must, so I cannot remove any of them, just add). Furthermore, I cannot edit or remove annotation on components that are being used as dependencies of my project.
What other solution would you recommend? Or if there's any workaround to fix this problem?
Thanks in advance for your time and help.
Upvotes: 0
Views: 688
Answers (1)
Reputation: 116251
The default order for a WebSecurityConfigurer adapter is 100 and you appear to have two in your application:
com.sampleapp.myapp.ecards.MyApplicationConfigurationcom.sampleapp.dep.dsp.core.autoconfigure.DsfCoreAutoConfiguration$DSFServerWebSecurityConfig
You should update one of them to be explicitly annotated with @Order, specifying a value other than 100. Given the limitations you've described, adding @Order to com.sampleapp.myapp.ecards.MyApplicationConfiguration seems to be more likely to be ok. Whether its order should be higher or lower will depend on the relationship between the the different parts of your security configuration and, if that configuration overlaps, which one you want to take precedence.
Upvotes: 1
Related Questions
- How to disable 'X-Frame-Options' response header in Spring Security?
- Overcoming "Display forbidden by X-Frame-Options"
- enable X-Frame-Options header in spring-boot application (without spring security)
- Disable X-FrameOptions response header for a URL Spring Security JAVA config
- Enabling xframe options in spring security 3 xml configuration
- Allow Iframe for all domains while using Spring Security
- X-Frame DENY in Spring security
- Load denied by X-Frame-Options: does not permit framing
- How to add X-Frame-Options to just some responses in Spring Security 3.2
- How to add X-FRAME-OPTIONS to some pages in Spring Security headers (Spring version 4.2.0)?