SEC-2656: Fix <frame-options> with whitelist strategy

config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java

@@ -208,7 +208,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
                         }
                         String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from");
                         allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter);
-                        builder.addConstructorArgValue(allowFromStrategy);
+                        builder.addConstructorArgValue(allowFromStrategy.getBeanDefinition());
                     }
                 } else {
                     parserContext.getReaderContext().error("One of 'strategy' and 'strategy-ref' must be set.",

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -172,6 +172,26 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com'])
     }
 
+    def 'http headers frame-options ALLOW-FROM with whitelist strategy'() {
+        when:
+        httpAutoConfig {
+            'headers'() {
+                'frame-options'(policy : 'ALLOW-FROM', strategy: 'whitelist', value : 'https://example.com')
+            }
+        }
+        createAppContext()
+
+        def hf = getFilter(HeaderWriterFilter)
+        MockHttpServletResponse response = new MockHttpServletResponse()
+
+        def request = new MockHttpServletRequest()
+        request.setParameter("from", "https://example.com");
+        hf.doFilter(request, response, new MockFilterChain())
+
+        then:
+        assertHeaders(response, ['X-Frame-Options':'ALLOW-FROM https://example.com'])
+    }
+
     def 'http headers header a=b'() {
         when:
         httpAutoConfig {