Thank you Andrea for the quick answer and help pointing me in the right
direction.
I had already read the online resource, and figured out that I would have to
look in the code to see what it does.
Unfortunately disabling the filter altogether breaks something and geoserver,
as when I reload the application from Tomcat's manager it fails to start.
I will try to have a look at configuring the X-Frame filter to allow the domain
that I would like to frame content from the geoserver.
Was hoping somebody on the user list has real life experience disabling this
otherwise useful security feature.
Sorin RUSU
Pe luni, 25 iunie 2018, 15:11:57 EEST, Andrea Aime
<andrea.a...@geo-solutions.it> a scris:
Hi,yep, it's indeed the GeoServer filter you mentioned that adds the
header.Documentation
here:http://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy
In case that does not help, source code
here:https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/filters/XFrameOptionsFilter.java#L18
CheersAndrea
On Thu, Jun 21, 2018 at 2:31 PM, Rusu Sorin via Geoserver-users
<geoserver-users@lists.sourceforge.net> wrote:
Hi,
I am trying to use Geoserver data into an JS WebGIS application.
I am having trouble disabling the X-Frame-Options from adding the SAMEORIGIN
header to incoming requests.
I have read the instructions on: http://docs.geoserver.org/
latest/en/user/production/ config.html#x-frame-options- policy
My TOMCAT's conf/web.xml has deactivated X-FRAME-OPTIONS:
<filter> <filter-name> HttpHeaderSecurityFilter</ filter-name>
<filter-class>org.apache. catalina.filters. HttpHeaderSecurityFilter</
filter-class>
<async-supported>true</async- supported>
<init-param>
<param-name> antiClickJackingEnabled</ param-name>
<param-value>false</param- value>
</init-param>
</filter>
<filter-mapping>
<filter-name> HttpHeaderSecurityFilter</ filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</ dispatcher></filter-mapping>
Requests to localhost:8080/manager do not show the X-Frame-Options, so it
should be working.
My geoserver's web.xml has the following configuration:
<filter>
<filter-name> xFrameOptionsFilter</filter- name>
<filter-class>org.geoserver. filters.XFrameOptionsFilter</ filter-class>
<init-param>
<param-name>geoserver.xframe. policy</param-name>
<param-value>DENY</param- value>
</init-param>
</filter> <filter-mapping>
<filter-name> xFrameOptionsFilter</filter- name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</ dispatcher>
</filter-mapping>
Each time I do a request to the geoserver I get a response with the dreaded
X-FRAME-OPTIONS: SAMEORIGIN Does anyone have any insight on how to set
geoserver to stop being secured against clickJacking?
BTW, this stackexchange answer is no good:
https://gis.stackexchange.com/ questions/267758/setting-
geoserver-x-frame-options
it breaks the geoserver if you use the values and it won't run.
Any ideas?
------------------------------ ------------------------------ ------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
______________________________ _________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/ talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/
userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/ geoserver/wiki/Successfully-
requesting-and-integrating- new-features-and-improvements- in-GeoServer
Geoserver-users@lists. sourceforge.net
https://lists.sourceforge.net/ lists/listinfo/geoserver-users
--
Regards,Andrea Aime==GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.==Ing. Andrea Aime @geowolfTechnical
LeadGeoSolutions S.A.S.Via di Montramito 3/A55054 Massarosa (LU)phone: +39 0584
962313fax: +39 0584 1660272mob: +39 339
8844549http://www.geo-solutions.ithttp://twitter.com/geosolutions_it-------------------------------------------------------Con
riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa
che ogni circostanza inerente alla presente email (il suo contenuto, gli
eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei
comunque grato se potesse darmene notizia.This email is intended only for the
person or entity to which it is addressed and may contain information that is
privileged, confidential or otherwise protected from disclosure. We remind that
- as provided by European Regulation 2016/679 “GDPR” - copying, dissemination
or use of this e-mail or the information herein by anyone other than the
intended recipient is prohibited. If you have received this email by mistake,
please notify us immediately by telephone or e-mail.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users