From cc04d73fba4b898f55d9c5cecc7fbf730de9284d Mon Sep 17 00:00:00 2001 From: hengyunabc Date: Wed, 11 Aug 2021 19:11:57 +0800 Subject: [PATCH] disable iframe deny header by default. #1873 --- .../WebSecurityConfig.java} | 21 ++++++++++++++++--- .../app/configuration/ArthasProperties.java | 10 +++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) rename tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/{endpoint/ActuatorSecurity.java => app/WebSecurityConfig.java} (50%) diff --git a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/endpoint/ActuatorSecurity.java b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java similarity index 50% rename from tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/endpoint/ActuatorSecurity.java rename to tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java index f35b5f85798..efa3cf14557 100644 --- a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/endpoint/ActuatorSecurity.java +++ b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/WebSecurityConfig.java @@ -1,15 +1,30 @@ -package com.alibaba.arthas.tunnel.server.endpoint; +package com.alibaba.arthas.tunnel.server.app; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import com.alibaba.arthas.tunnel.server.app.configuration.ArthasProperties; + +/** + * + * @author hengyunabc 2021-08-11 + * + */ @Configuration -public class ActuatorSecurity extends WebSecurityConfigurerAdapter { +public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + + @Autowired + ArthasProperties arthasProperties; @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated().anyRequest() - .permitAll().and().formLogin(); + .permitAll().and().formLogin(); + // allow iframe + if (arthasProperties.isEnableIframeSupport()) { + httpSecurity.headers().frameOptions().disable(); + } } } \ No newline at end of file diff --git a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/configuration/ArthasProperties.java b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/configuration/ArthasProperties.java index 0eb95c24d26..ce1aafbbb62 100644 --- a/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/configuration/ArthasProperties.java +++ b/tunnel-server/src/main/java/com/alibaba/arthas/tunnel/server/app/configuration/ArthasProperties.java @@ -27,6 +27,8 @@ public class ArthasProperties { */ private boolean enableDetailPages = false; + private boolean enableIframeSupport = true; + public Server getServer() { return server; } @@ -51,6 +53,14 @@ public void setEnableDetailPages(boolean enableDetailPages) { this.enableDetailPages = enableDetailPages; } + public boolean isEnableIframeSupport() { + return enableIframeSupport; + } + + public void setEnableIframeSupport(boolean enableIframeSupport) { + this.enableIframeSupport = enableIframeSupport; + } + public static class Server { /** * tunnel server listen host