Question

我的安全上下文如下：

<http entry-point-ref="serviceEntryPoint" pattern="/service/.*" use-expressions="true" request-matcher="regex" create-session="never">        
    <intercept-url pattern="/service/.*" access="hasAnyRole('ROLE_SUPER','ROLE_ADMIN')" />
    <custom-filter position="TEST" ref="myCustomFilter" />
    <csrf disabled="true"/>
</http>

<http auto-config="true" use-expressions="true">
    <headers>
        <frame-options policy="SAMEORIGIN"/>
        <content-security-policy>frame-ancestors 'self'</content-security-policy>
    </headers>
    <intercept-url pattern="/forgot.ajax" access="permitAll" />
        ........
        ........
    <csrf/>
</http>

我已将content-security-policy标记添加到其中一个http部分。我是否还需要为服务层添加content-security-policy？

Spring安全内容 - Web服务的安全策略

0 个答案: