我使用以下配置代码使用 Spring Security 进行自动化测试:
@TestConfiguration
public static class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http)
throws Exception {
http.headers().xssProtection().and()
.contentSecurityPolicy("default-src 'self'");
return http.build();
}
}
最近,我收到了几个警告,因为这些方法被标记为已弃用:
The method xssProtection() from the type HeadersConfigurer<HttpSecurity> has been deprecated since version 6.1 and marked for removal
The method headers() from the type HttpSecurity has been deprecated since version 6.1 and marked for removal
The method contentSecurityPolicy(String) from the type HeadersConfigurer<HttpSecurity> has been deprecated since version 6.1 and marked for removal
The method and() from the type HeadersConfigurer<HttpSecurity>.XXssConfig has been deprecated since version 6.1 and marked for removal
有人知道如何使用新的配置器/定制器 API 进行相同的配置吗?
类似...
public SecurityFilterChain filterChain(HttpSecurity http) {
http.headers(headers ->
headers.xssProtection(
xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK)
).contentSecurityPolicy(
cps -> cps.policyDirectives("script-src 'self' .....")
));
return http.build();
}
参考:文档利用标头
XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK -
XXssProtectionHeaderWriter 类在 Spring Boot 3.1.2 中已被弃用,那么如何使用它?