Disable the x-frame-options response header

Spring Security blocks framing by default.

Change-Id: I51a1fa31599a55196675fe505f6c47696af40b6d
Signed-off-by: Lott, Christopher (cl778h) <cl778h@att.com>

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 6c89ab9..65e5896 100644 (file)
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -41,6 +41,7 @@ Version 1.2.0, 19 Aug 2019
 * Add custom (plain but not white-label) error page
 * Synch A1 method paths in front-end and back-end
 * Add xapp dynamic configuration feature
+* Disable x-frame-options response header
 
 Version 1.0.5, 5 July 2019
 --------------------------

diff --git a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
index 4e24356..92ea75e 100644 (file)
--- a/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
+++ b/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/config/WebSecurityConfiguration.java
@@ -78,6 +78,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
                logger.debug("configure: portalapi.username {}", userName);
                // A chain of ".and()" always baffles me
                http.authorizeRequests().anyRequest().authenticated();
+               http.headers().frameOptions().disable();
                http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
                http.addFilterBefore(portalAuthenticationFilterBean(), BasicAuthenticationFilter.class);
        }