通过spring security的内容安全策略不起作用

x0fgdtte  于 2021-09-30  发布在  Java
关注(0)|答案(0)|浏览(356)

今天,我尝试使用SpringSecurity和SpringBoot实现内容安全策略。下面是作为spring security一部分的配置。

http
        .cors().and()
        .csrf().disable()
        .headers()
        .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy","script-src none; style-src none;"))
        .and()
        .sessionManagement()
        .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
        .and()
        .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
        .addFilterBefore(keycloakAuthenticationProcessingFilter(), LogoutFilter.class)
        .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
        .addFilterAfter(keycloakAuthenticatedActionsRequestFilter(), KeycloakSecurityContextRequestFilter.class)
        .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
        .and()
        .logout()
        .addLogoutHandler(keycloakLogoutHandler())
        .logoutUrl("/sso/logout").permitAll()
        .logoutSuccessUrl("/").and()
        .antMatcher("/**")
        .authorizeRequests()
        .antMatchers("/swagger-ui.html").permitAll()
        .antMatchers("/swagger-ui/**").permitAll()
        .antMatchers("/v3/api-docs/**").permitAll()
        .antMatchers("/token").permitAll()
        .antMatchers("/app/**").permitAll()
        .antMatchers("/ignore/**").permitAll()
        .anyRequest().authenticated();
    }

根据代码,将内容安全策略属性添加到响应中,如下所示

HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Credentials: true
Set-Cookie: JSESSIONID=DE7BF66B7B8EE56A863XXXXXXXXXXX; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Security-Policy: script-src none;style-src none;
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 03 Jun 2021 20:46:05 GMT
Keep-Alive: timeout=60
Connection: keep-alive

虽然策略被正确地添加到响应中,并且我已经给出了脚本src none;花柱src无;但整个应用程序的加载仍然没有任何问题,也没有出现任何错误。
我甚至试着吼叫:
.headers().contentSecurityPolicy("script-src 'none';") .headers().contentSecurityPolicy("script-src 'self';") 浏览器中带有多个试用的事件响应正文显示内容安全策略属性,但它无法按预期工作。
如果我遗漏了什么,请告诉我。
提前谢谢。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题