Hi all,
I am having a fair bit of trouble trying to modify the default X-Frames-Options
policy for Geoserver. I have read the documentation
http://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy,
I have searched for the error online in various forums and I have also read
through the mailing list. Someone earlier this year also had the same issue but
did not get any definitive answers
(https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/1295046034.297314.1529584313871%40mail.yahoo.com/#msg36348795<https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/[email protected]/#msg36348795>).
The documentation says the policy can be changed via Java system property,
command line argument, environment variable or web.xml but they do not have
instructions on how. I have mainly focused on trying to get it to work via
web.xml by overriding the existing policy with httpHeaderSecurity. It works for
changing it from "SAMEORIGIN" to “DENY" but what I need is "ALLOW-ALL *”, which
it does not work. Once I set it to "ALLOW-ALL *", it no longer starts up.
This is what it looks like:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
Note: I need the value to be ALLOW-ALL * but Geoserver no longer starts up.
From the documentation, it seems it should be something like:
<filter>
<filter-name> xFrameOptionsFilter</filter- name>
<filter-class>org.geoserver. filters.XFrameOptionsFilter</ filter-class>
<init-param>
<param-name>geoserver.xframe. policy</param-name>
<param-value>ALLOW-ALL *</param- value>
</init-param>
</filter> <filter-mapping>
<filter-name> xFrameOptionsFilter</filter- name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</ dispatcher>
</filter-mapping>
However, this does not match up to the source code found here:
https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/filters/XFrameOptionsFilter.java#L18.
The source code does not have any getServletContext().getInitParameter() so
how does it actually use the settings in the web.xml?
I’ve also had a look at the pull requests
(https://github.com/geoserver/geoserver/pulls?utf8=✓&q=x-frame-options<https://github.com/geoserver/geoserver/pulls?utf8=%E2%9C%93&q=x-frame-options>)
that mentioned X-Frame-Options policy and it seems like the code was recently
changed in 2017. Has this changed the ability of setting the policy?
I am quite out of ideas. I hope someone is able to point me in the right
direction.
Thanks,
Edmond
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
