diff --git a/ruoyi-admin/src/main/java/com/ruoyi/RuoYiApplication.java b/ruoyi-admin/src/main/java/com/ruoyi/RuoYiApplication.java index e3c56ee54..bc3e17efb 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/RuoYiApplication.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/RuoYiApplication.java @@ -3,12 +3,14 @@ package com.ruoyi; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration; +import org.springframework.boot.web.servlet.ServletComponentScan; /** * 启动程序 * * @author ruoyi */ +@ServletComponentScan("com.ruoyi.web") @SpringBootApplication(exclude = { DataSourceAutoConfiguration.class }) public class RuoYiApplication { diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java index f148b4c62..7d402571d 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java @@ -254,7 +254,6 @@ public class CommonController { @ApiOperation("获取html内容") @GetMapping("/html/content/{title}") public String getHtmlContent(@PathVariable("title") String title, HttpServletResponse response) { - response.setHeader("X-Frame-Options", "ALLOWALL"); response.setHeader("Content-Security-Policy", "frame-ancestors *"); return htmlService.getHtmlContent(title); } diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/filter/HtmlFilter.java b/ruoyi-admin/src/main/java/com/ruoyi/web/filter/HtmlFilter.java new file mode 100644 index 000000000..1441aceec --- /dev/null +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/filter/HtmlFilter.java @@ -0,0 +1,21 @@ +package com.ruoyi.web.filter; + +import org.springframework.core.annotation.Order; + +import javax.servlet.*; +import javax.servlet.annotation.WebFilter; +import java.io.IOException; + +/** + * @author liangyq + * @date 2025-11-11 + */ +//@WebFilter(urlPatterns = "/rest/v1/common/html/content/*") +@Order() +public class HtmlFilter implements Filter { + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + chain.doFilter(request, response); + } +} \ No newline at end of file diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java index d29138c87..eb6221a32 100644 --- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java +++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java @@ -1,5 +1,6 @@ package com.ruoyi.framework.config; +import cn.hutool.core.util.StrUtil; import com.ruoyi.framework.config.properties.PermitAllUrlProperties; import com.ruoyi.framework.security.filter.JwtAuthenticationTokenFilter; import com.ruoyi.framework.security.handle.AuthenticationEntryPointImpl; @@ -101,7 +102,13 @@ public class SecurityConfig .csrf(csrf -> csrf.disable()) // 禁用HTTP响应标头 .headers((headersCustomizer) -> { - headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin()); + headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin()) + .addHeaderWriter((request, response) -> { + // html接口响应头特殊处理 + if (StrUtil.startWith(request.getRequestURI(),"/rest/v1/common/html/content/")){ + response.setHeader("X-Frame-Options","ALLOWALL"); + } + }); }) // 认证失败处理类 .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler))