再将Spring Security3升级到Spring Security4后发现访问网页子窗口的时候在火狐的firebug中发现一个问题:

Refused to display 'http://localhost:8080/xxx' in a frame because it set 'X-Frame-Options' to 'DENY'.

网上查询说是跨域问题;

问题就简单化了,

Spring Security4默认是将'X-Frame-Options' 设置为 'DENY'

所以重新配置下SpringSecurity,

在<http>标签内添加配置:

<headers>
            <frame-options policy="SAMEORIGIN" />
</headers>

再次访问网站就不会出现这个问题了;

下面是一些其他配置:

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

需要更加详细的信息可以参考:http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/appendix-namespace.html#nsa-frame-options