I want to get rid of Header related vulnerability warnings. (Missing X-Frame Header, Missing Content Type Header)
I went through the Spring doc and made the required changes. But still getting those warnings (I'm using Owasap Zap security tool to validate vulnerability warnings)
Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http create-session="never" entry-point-ref="http403EntryPoint" >
<security:headers>
<security:content-type-options/>
<security:frame-options/>
</security:headers>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="_" password="_" authorities="_" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
</beans>
I've added the required dependencies in the pom file.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version 4.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version 4.1.0.RELEASE</version>
</dependency>
I was missing the required servlet filter in the web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
This filter invokes a Spring bean (springSecurityFilterChain) which is an internal infrastructure bean created by the namespace to handle web security.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments