Enabling xframe options in spring security 3 xml configuration

I have added the headers tag under http tag for xframe-options in spring security as follows :

<http auto-config="true"  use-expressions="true">
            <intercept-url pattern="/rateWebService" access="hasRole('ROLE_ADMIN')" />
            <intercept-url pattern="/**" access="permitAll" />
            <form-login login-page="/loginA2B" login-processing-url="/j_spring_security_check"  default-target-url="/rateWebService" authentication-failure-url="/loginA2B?valid=false" />
            <logout logout-url="/j_spring_security_logout" logout-success-url="/logout"  />
    <headers>
            <frame-options policy="SAMEORIGIN"/>
    </headers>
  </http>

An exception is thrown for the same denoting that spring security schema doesn’t recognize the headers tag. I am using spring security 3(with all the necessary schema locations in xml I believe given headers are a child tag of http). Am I doing something wrong or doesn spring security 3 not support setting headers. Below is the stack trace :

org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 86 in XML document from ServletContext resource [/WEB-INF/security.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 86; columnNumber: 12; cvc-complex-type.2.4.a: Invalid content was found starting with element 'headers'. One of '{"http://www.springframework.org/schema/security":intercept-url, "http://www.springframework.org/schema/security":access-denied-handler, "http://www.springframework.org/schema/security":form-login, "http://www.springframework.org/schema/security":openid-login, "http://www.springframework.org/schema/security":x509, "http://www.springframework.org/schema/security":http-basic, "http://www.springframework.org/schema/security":logout, "http://www.springframework.org/schema/security":session-management, "http://www.springframework.org/schema/security":remember-me, "http://www.springframework.org/schema/security":anonymous, "http://www.springframework.org/schema/security":port-mappings, "http://www.springframework.org/schema/security":custom-filter, "http://www.springframework.org/schema/security":request-cache}' is expected.
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)
    at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:180)
    at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)
    at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:94)
    at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)
    at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:522)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:436)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:384)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:283)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
    at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
    at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
    at org.apache.catalina.core.StandardService.start(StandardService.java:525)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.xml.sax.SAXParseException; lineNumber: 86; columnNumber: 12; cvc-complex-type.2.4.a: Invalid content was found starting with element 'headers'. One of '{"http://www.springframework.org/schema/security":intercept-url, "http://www.springframework.org/schema/security":access-denied-handler, "http://www.springframework.org/schema/security":form-login, "http://www.springframework.org/schema/security":openid-login, "http://www.springframework.org/schema/security":x509, "http://www.springframework.org/schema/security":http-basic, "http://www.springframework.org/schema/security":logout, "http://www.springframework.org/schema/security":session-management, "http://www.springframework.org/schema/security":remember-me, "http://www.springframework.org/schema/security":anonymous, "http://www.springframework.org/schema/security":port-mappings, "http://www.springframework.org/schema/security":custom-filter, "http://www.springframework.org/schema/security":request-cache}' is expected.
    at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
    at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source)
    at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:75)
    at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:388)
    ... 28 more

Answer

The headers support was added in Spring Security 3.2, you state you are using 3.1 which doesn’t contain the header support.

WARNING: Spring Security 3.2 has not been updated for quite a while and has been superseded by many versions already. It is also not supported anymore, so I would strongly suggest to upgrade to the 5.x range (which is supported).