使用SpringSecurity4引起的问题:Refused to display 'http://localhost:8080/xx in a frame because it set 'X-Fr

再将Spring Security3升级到Spring Security4后发现访问网页子窗口的时候在火狐的firebug中发现一个问题:

Refused to display 'http://localhost:8080/xxx' in a frame because it set 'X-Frame-Options' to 'DENY'.

网上查询说是跨域问题;

 

问题就简单化了,

Spring Security4默认是将'X-Frame-Options' 设置为 'DENY'

因此从新配置下SpringSecurity,

在<http>标签内添加配置:

<headers>
            <frame-options policy="SAMEORIGIN" />
</headers>

再次访问网站就不会出现这个问题了;

下面是一些其余配置:

 

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

参考：http://blog.csdn.net/wenj91/article/details/50837457