1515 feat: 修正SpringbootAdmin监控页面在iframe中可以正常显示

2026-05-03 10:47:49 +08:00 · 2026-05-03 10:47:49 +08:00 · 5fe868e096
parent c3125dbc92
commit 5fe868e096
2 changed files with 16 additions and 0 deletions
--- a/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java
+++ b/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java
@ -8,6 +8,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.password.PasswordEncoder;
@ -39,6 +40,9 @@ public class AdminServerConfiguration {
    @Value("${spring.boot.admin.client.password:admin}")
    private String password;

+    @Value("${spring.boot.admin.frame-ancestors:'self'}")
+    private String frameAncestors;
+
    /**
     * Spring Boot Admin 专用的 InMemoryUserDetailsManager
     * 使用内存存储，与系统用户隔离
@ -99,6 +103,16 @@ public class AdminServerConfiguration {
                                adminSeverContextPath + "/instances", // Admin Client 注册端点忽略 CSRF
                                adminSeverContextPath + "/actuator/**" // Actuator 端点忽略 CSRF
                        )
+                )
+                .headers(headers -> headers
+                        // 特殊：Spring Boot Admin 前端基于 Vue，需 unsafe-inline ／ unsafe-eval 支持内联脚本与表达式
+                        .contentSecurityPolicy(csp -> csp.policyDirectives(
+                                "default-src 'self'; "
+                                        + "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+                                        + "style-src 'self' 'unsafe-inline'; "
+                                        + "frame-ancestors " + frameAncestors))
+                        .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin) // 显式设置 X-Frame-Options 为 SAMEORIGIN
+                        .cacheControl(HeadersConfigurer.CacheControlConfig::disable) // 禁用缓存，避免旧配置生效
                );
        return httpSecurity.build();
    }
--- a/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml
+++ b/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml
@ -137,6 +137,8 @@ spring:
        password: admin
      # Spring Boot Admin Server 服务端的相关配置
      context-path: /admin # 配置 Spring
+      # 允许嵌入 iframe 的域名（支持通配符），实际部署时，可以改为 "'self' [你的公网域名]"
+      frame-ancestors: "'self' localhost localhost:48082 127.0.0.1 127.0.0.1:48082"

 # 日志文件配置
 logging: