How to give request matcher in Spring Security for x frame options?

Question

I have enabled Spring Security headers.

My code is like this:

Answer 1

You can use a DelegatingRequestMatcherHeaderWriter, see Spring Security Reference:

20.2.3 DelegatingRequestMatcherHeaderWriter

At times you may want to only write a header for certain requests. For example, perhaps you want to only protect your log in page from being framed. You could use the DelegatingRequestMatcherHeaderWriter to do so. When using the XML namespace configuration, this can be done with the following:

<http>
  <!-- ... -->

  <headers>
      <frame-options disabled="true"/>
      <header ref="headerWriter"/>
  </headers>
</http>

<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
  <beans:constructor-arg>
      <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
        c:pattern="/login"/>
  </beans:constructor-arg>
  <beans:constructor-arg>
      <beans:bean
        class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
  </beans:constructor-arg>
</beans:bean>

To use DENYand SAMEORIGIN for different URLs you have to add two header elements with two different DelegatingRequestMatcherHeaderWriter.