Spring Security：Refused to display 'http://**' in a frame because it set 'X-Frame-Options' to 'deny'

在整合Spring Security时，页面的iframe出现这个错误：

Refused to display 'http://**' in a frame because it set 'X-Frame-Options' to 'deny'

解决：

在继承WebSecurityConfigurerAdapter的子类的覆盖方法configure(HttpSecurity)里面添加：

http.headers().frameOptions().sameOrigin()

frameOptions()会返回一个HeadersConfigurer对象，看它的类注释：

 * <p>

 * Adds the Security HTTP headers to the response. Security HTTP headers is activated by

 * default when using {@link WebSecurityConfigurerAdapter}'s default constructor.

 * </p>

 *

 * <p>

 * The default headers include are:

 * </p>

 *

 * <pre>

 * Cache-Control: no-cache, no-store, max-age=0, must-revalidate

 * Pragma: no-cache

 * Expires: 0

 * X-Content-Type-Options: nosniff

 * Strict-Transport-Security: max-age=31536000 ; includeSubDomains

 * X-Frame-Options: DENY

 * X-XSS-Protection: 1; mode=block

 * </pre>

从中可以得知默认的iframe加载是DENY，导致了页面上出现错误。

sameOrigin()的注释是这样子的：

/**

* <p>

* Specify to allow any request that comes from the same origin to frame this

* application. For example, if the application was hosted on example.com, then

* example.com could frame the application, but evil.com could not frame the

* application.

* </p>

*

* @return

*/

从注释中我们知道sameOrigin()方法表示允许同源请求加载iframe。

也可以添加以下内容来实现：

http.headers().frameOptions().disable()

注释：

              /**
* Prevents the header from being added to the response.
*
* @return the {@link HeadersConfigurer} for additional configuration.
*/

这样就相当于把默认要添加到响应头信息中的内容全阻止、禁用掉了。