[Geoserver-users] Help disabling X-Frame-Options for Geoserver

Thu, 21 Jun 2018 05:33:47 -0700 

Hi, 

I am trying to use Geoserver data into an JS WebGIS application. 
I am having trouble disabling the X-Frame-Options from adding the SAMEORIGIN 
header to incoming requests. 

I have read the instructions on: 
http://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy
 

My TOMCAT's conf/web.xml has deactivated X-FRAME-OPTIONS:
<filter>        <filter-name>HttpHeaderSecurityFilter</filter-name>
        
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HttpHeaderSecurityFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher></filter-mapping>
Requests to localhost:8080/manager do not show the X-Frame-Options, so it 
should be working. 

My geoserver's web.xml has the following configuration:
<filter>
      <filter-name>xFrameOptionsFilter</filter-name>
      <filter-class>org.geoserver.filters.XFrameOptionsFilter</filter-class>
      <init-param>
         <param-name>geoserver.xframe.policy</param-name>
         <param-value>DENY</param-value>
     </init-param>
</filter> <filter-mapping>
      <filter-name>xFrameOptionsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
Each time I do a request to the geoserver I get a response with the dreaded 
X-FRAME-OPTIONS: SAMEORIGIN    Does anyone have any insight on how to set 
geoserver to stop being secured against clickJacking?

BTW, this stackexchange answer is no good: 
https://gis.stackexchange.com/questions/267758/setting-geoserver-x-frame-options
    it breaks the geoserver if you use the values and it won't run.

Any ideas?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Reply via email to