From 0ddd3f8ddf10d752e18acb86944fe1307d0a6001 Mon Sep 17 00:00:00 2001 From: "Lott, Christopher (cl778h)" Date: Mon, 19 Aug 2019 16:36:45 -0400 Subject: [PATCH] Disable the x-frame-options response header Spring Security blocks framing by default. Change-Id: I51a1fa31599a55196675fe505f6c47696af40b6d Signed-off-by: Lott, Christopher (cl778h) --- docs/release-notes.rst | 1 + .../org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 6c89ab9d..65e58967 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -41,6 +41,7 @@ Version 1.2.0, 19 Aug 2019 * Add custom (plain but not white-label) error page * Synch A1 method paths in front-end and back-end * Add xapp dynamic configuration feature +* Disable x-frame-options response header Version 1.0.5, 5 July 2019 -------------------------- diff --git a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java index 4e243564..92ea75e8 100644 --- a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java +++ b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java @@ -78,6 +78,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { logger.debug("configure: portalapi.username {}", userName); // A chain of ".and()" always baffles me http.authorizeRequests().anyRequest().authenticated(); + http.headers().frameOptions().disable(); http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class); } -- 2.16.6