I solved if after many attempts with this class code. I am well aware I need to refine some security levels in order to bring this to a production environment. In case you have any suggestions that can save me some time I will gladly welcome them
Many thanks.
package com.domusvcs.clientes.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.HeaderWriter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Configuration
//@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.headers().contentSecurityPolicy("frame-ancestors https://*.[domain].com https://[domain].com");
//super.configure(http);
//http.headers().contentSecurityPolicy(secPolicy -> secPolicy.policyDirectives("frame-ancestors [domain].com"));
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
//.disable() // Disable CSRF if necessary (use with caution)
http
.headers().frameOptions().disable()
.addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy",
"default-src https://*.[domain].com:* https://[domain].com:*;" +
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://[domain].com:* http://[domain].com:* https://www.[domain].com:*;" +
"style-src 'self' 'unsafe-inline' https://[domain].com:* http://[domain].com:* https://www.[domain].com:*;" +
"frame-src https://[domain].com:* https://[domain].com:*;"));
//super.configure(http);
// http.headers().frameOptions().sameOrigin();
// http.headers().addHeaderWriter(new HeaderWriter() {
// @Override
// public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
// response.setHeader("Content-Security-Policy",
// "default-src 'self'; " +
// "style-src 'self' 'unsafe-inline' https://*;" +
// "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*;" +
// "frame-ancestors 'self' https://*;");
// }
// });
}
}
Beware of the many commented out lines.
Regards,
Carlos.