On 3/31/16, 2:43 PM, "Rahulkumar Godse" <rahulkumar.go...@selligent.com> wrote:
>Hi,
>
>Tomcat version:
>apache-tomcat-8.0.28
>
>Issue:
>I am trying to open an external url in an iframe in our application. The
>external url has X-FRAME-OPTIONS set to DENY in their jsp code which I am
>trying to override using filters in web.xml
>
>Here’s the code where I added the filters in web.xml
>
>
><filter>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
>
> <async-supported>true</async-supported>
>
> <init-param>
>
> <param-name>antiClickJackingEnabled<param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>antiClickJackingOption</param-name>
>
> <param-value>ALLOW-FROM</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>antiClickJackingUri</param-name>
>
> <param-value>ipaddress2</param-value>
>
> </init-param>
>
></filter>
>
>The external application is set up on the same domain but on a different box
>having a different ip address <ipaddress2> while our application is running on
><ipaddress1>.
>
>
>As per the definition of the filters, now all X-FRAME-OPTIONS should be
>replaced by ALLOW-FROM, but I still get an error “Refused to display
>'https://<ipaddress1>:<port>/xyz/' in a frame because it set 'X-Frame-Options'
>to 'DENY’."
>
>Can someone help me with this? Is there anything wrong with the syntax in the
>web.xml.
>
>NOTE: I also tried commenting out the following lines in web.xml as per an
>email thread I found on apache mailing list.
>
><!--
>
> <filter-mapping>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
> <url-pattern>/*</url-pattern>
>
> <dispatcher>REQUEST</dispatcher>
>
> </filter-mapping>
>
>-->
>
>
Correction in the code:
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>ipaddress1</param-value>
</init-param>
