CODEWITHSUNDEEP
webservertomcat7cross-domain
user1241438
user1241438

Reputation: 1543

tomcat X-Frame-Options or antiClickJackingEnabled

I am looking for an answer strictly for tomcat webserver. I am need to call a different domain using iframe and it is giving the following error in internet explorer

This content cannot be displayed in a frame To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

I know this is cross domain issue and i am trying to enable it in tomcat webserver. I have search internet for a day and i dont see a clear answer on how to configure either X-Frame-Options or antiClickJackingEnabled

I used the following option in web.xml but it did not work

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>ALLOW-FROM</param-value>
        </init-param>
</filter>
<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
                <param-name>antiClickJackingUri</param-name>
                <param-value>[https://subdomain1.example.com][https://subdomain2.example.com][https://subdomain3.example.com]</param-value>
        </init-param>
</filter>

Please help!!!

Upvotes: 1

Views: 22867

Answers (2)

ogarzonm
ogarzonm

Reputation: 546

You can't create two filters. Join the structure.

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
            <param-name>antiClickJackingUri</param-name>
            <param-value>[https://subdomain1.example.com][https://subdomain2.example.com][https://subdomain3.example.com]</param-value>
    </init-param>
 </filter>

Upvotes: 3

StCicatriz
StCicatriz

Reputation: 43

did you enable the filter:

  <!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Upvotes: 2

Related Questions