diff --git a/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java index 81c0899bd2..4895cba071 100644 --- a/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java @@ -208,7 +208,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser { } String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from"); allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter); - builder.addConstructorArgValue(allowFromStrategy); + builder.addConstructorArgValue(allowFromStrategy.getBeanDefinition()); } } else { parserContext.getReaderContext().error("One of 'strategy' and 'strategy-ref' must be set.", diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy index f118ed3883..137f5ac4df 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy @@ -172,6 +172,26 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests { assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com']) } + def 'http headers frame-options ALLOW-FROM with whitelist strategy'() { + when: + httpAutoConfig { + 'headers'() { + 'frame-options'(policy : 'ALLOW-FROM', strategy: 'whitelist', value : 'https://example.com') + } + } + createAppContext() + + def hf = getFilter(HeaderWriterFilter) + MockHttpServletResponse response = new MockHttpServletResponse() + + def request = new MockHttpServletRequest() + request.setParameter("from", "https://example.com"); + hf.doFilter(request, response, new MockFilterChain()) + + then: + assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com']) + } + def 'http headers header a=b'() { when: httpAutoConfig {