Update Spring configuration files

Removed Properties

The following legacy properties were removed due to the shift away from X-Frame-Options strategies:

• http.spring.headers.frameOptions
• http.spring.headers.frameOptions.policy
• http.spring.headers.frameOptions.allowFrom.strategy
• http.spring.headers.frameOptions.allowFrom.strategy.value
• http.spring.headers.frameOptions.allowFrom.strategy.fromParameter

These properties relied on outdated mechanisms such as ALLOW-FROM, which modern browsers no longer support and Spring Security has deprecated.

Added Property

Replace the removed properties with the new property:

• http.spring.headers.frameAncestors

This property defines allowed origins for embedding Progress Application Server (PAS) for OpenEdge in an <iframe> using the Content-Security-Policy: frame-ancestors directive.

Examples:

• self—Allows framing only from the same origin.
• none—Disallows all framing (recommended for production).
• https://trusted.example.com—Allows framing from a specific domain.

These changes are reflected in both:

• catalina_base/conf/oeablSecurity.properties
• catalina_base/conf/oeablSecurity.properties.README

XML File Changes

If you customized XML files in earlier releases, reapply your changes to the updated XML files.

• enableOAuth2ResourceServer.xml
• enableSamlSecurity.xml
• authFilters.xml
• sharedAuthFilters.xml

The security-context-explicit-save attribute was removed from <http> bean definitions. Spring Security now handles context saving automatically.

• In authFilters.xml and sharedAuthFilters.xml, the OEHeaderWriterFilter bean was updated:
  • Added property: frameAncestors—This property reads its value from the new http.spring.headers.frameAncestors setting in the .properties file.