✨ 添加禁用iframe配置

ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/CustomResourceServerConfigurer.java

@@ -47,18 +47,23 @@ public class CustomResourceServerConfigurer extends ResourceServerConfigurerAdap
 	public void configure(HttpSecurity httpSecurity) throws Exception {
 		// @formatter:off
 		httpSecurity
-			// 拦截 url 配置
-			.authorizeRequests()
-			.antMatchers(ArrayUtil.toArray(permitAllUrlProperties.getIgnoreUrls(), String.class))
-			.permitAll()
-			.anyRequest().authenticated()
+				// 拦截 url 配置
+				.authorizeRequests()
+				.antMatchers(ArrayUtil.toArray(permitAllUrlProperties.getIgnoreUrls(), String.class))
+				.permitAll()
+				.anyRequest().authenticated()
 
-			// 使用token鉴权时 关闭 session 缓存
-			.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+				// 使用token鉴权时 关闭 session 缓存
+				.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
 
-			// 关闭 csrf 跨站攻击防护
-			.and().csrf().disable();
+				// 关闭 csrf 跨站攻击防护
+				.and().csrf().disable();
 		// @formatter:on
+
+		// 允许嵌入iframe
+		if (!permitAllUrlProperties.isIframeDeny()) {
+			httpSecurity.headers().frameOptions().disable();
+		}
 	}
 
 }

ballcat-admin/ballcat-admin-core/src/main/java/com/hccake/ballcat/admin/oauth/config/PermitAllUrlProperties.java

@@ -15,12 +15,17 @@ import java.util.List;
  * @date 2020/2/18 10:55 资源服务器忽略鉴权的url地址
  */
 @Slf4j
+@Getter
+@Setter
 @Configuration
 @ConfigurationProperties(prefix = "security.oauth2")
 public class PermitAllUrlProperties {
 
-	@Getter
-	@Setter
 	private List<String> ignoreUrls = new ArrayList<>();
 
+	/**
+	 * 是否禁止嵌入iframe
+	 */
+	private boolean iframeDeny = true;
+
 }