I am looking for an answer strictly for tomcat webserver. I am need to call a different domain using iframe and it is giving the following error in internet explorer
This content cannot be displayed in a frame To help protect the
security of information you enter into this website, the publisher of
this content does not allow it to be displayed in a frame.
I know this is cross domain issue and i am trying to enable it in tomcat webserver. I have search internet for a day and i dont see a clear answer on how to configure either X-Frame-Options or antiClickJackingEnabled
I used the following option in web.xml but it did not work
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
</filter>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>[https://subdomain1.example.com][https://subdomain2.example.com][https://subdomain3.example.com]</param-value>
</init-param>
</filter>
Please help!!!
You can't create two filters. Join the structure.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>[https://subdomain1.example.com][https://subdomain2.example.com][https://subdomain3.example.com]</param-value>
</init-param>
</filter>
did you enable the filter:
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Related
What I am trying to do is integrating Jira 7.12.3 with a SSO server using the Apereo Java CAS Client.
I followed this guide and got the two needed jars from here.
I have integrated CAS with JIRA like described there, but when I open jira, the user is redirected to /secure/Dashboard.jspa (the jira login page). By clicking login in the top right corner the cas page is opening, but after logging in successfully the user is redirected back to the JIRA login page and the user is still not logged in here. Can anyone help me to fix this?
Here the configs I've added:
web.xml:
<!-- CAS FILTER -->
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://[sso url]</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://[sso url]/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080/</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://[sso url]</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- Just before the last filter in the defined chain -->
<!-- CAS - Java Client Filter Mappings -->
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/default.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->
seraph-config.xml:
<init-param>
<param-name>login.url</param-name>
<!--<param-value>/login.jsp?permissionViolation=true&os_destination=${originalurl}&page_caps=${pageCaps}&user_role=${userRole}</param-value>-->
<param-value>https://[sso url]/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>https://[sso url]/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>logout.url</param-name>
<!--<param-value>/secure/Logout!default.jspa</param-value>-->
<param-value>https://[sso url]/logout</param-value>
</init-param>
<!-- Inserted this Authenticator instead of JiraSeraphAuthenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.Jira7CasAuthenticator">
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://[sso url]</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</authenticator>
The problem was that I inserted my jira-url as "localhost:8080". Thus, my cas server was not able to uniquely identify the service via the service-parameter in the url.
Thought this might be helpful for others with a similar problem.
I would like to to test the Application Insight tool of Microsoft Azure.
For this reason, I took a Spring application, jpetshop (https://github.com/mybatis/jpetstore-6), and I am trying to set up the Application Insight on top of it following this guide: https://learn.microsoft.com/en-us/azure/application-insights/app-insights-java-get-started
I added the Maven dependency and repository and, thanks to Eclipse, I created the ApplicationInsights.xml file with my InstrumentationKey. The only thing that I am not sure about is how to add is the HTTP filter on this application.
I modified the web.xml in this way:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>JPetStore</display-name>
<description>Online Pet Store Sample Application</description>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>StripesResources</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<display-name>Stripes Filter</display-name>
<filter-name>StripesFilter</filter-name>
<filter-class>net.sourceforge.stripes.controller.StripesFilter</filter-class>
<init-param>
<param-name>ActionResolver.Packages</param-name>
<param-value>org.mybatis.jpetstore.web</param-value>
</init-param>
<init-param>
<param-name>Extension.Packages</param-name>
<param-value>net.sourceforge.stripes.integration.spring</param-value>
</init-param>
<init-param>
<param-name>ApplicationInsightsRequestNameInterceptor</param-name>
<param-value>com.microsoft.applicationinsights.web.struts.RequestNameInterceptor</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>StripesFilter</filter-name>
<servlet-name>StripesDispatcher</servlet-name>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>StripesDispatcher</servlet-name>
<servlet-class>net.sourceforge.stripes.controller.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>StripesDispatcher</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
</web-app>
However, if I change the filter-mapper field as shown in the guide, the application doesn't work anymore.
Since the jpetshop application uses the Spring framework I also though to modify the *-servlet.xml file. However, this file is not present in this project.
Do you know how can I make the Azure Application Insight work on this application?
Thank you
I think you missed the section where you need to define ApplicationInsights's filter:
<filter>
<filter-name>ApplicationInsightsWebFilter</filter-name>
<filter-class>
com.microsoft.applicationinsights.web.internal.WebRequestTrackingFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>ApplicationInsightsWebFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I am using Swagger for REST api documentation, but facing issues with Container response filter filter used for jersey servlet and APIOriginFilter used for servlet for swagger. If I disable the Container response filter from jersey servlet swagger UI displays the APIs properly but the actual API call fails.
Please help and suggest how i can make common entry for the container response filter of jersey and api origin filter of swagger.
Below is snapshot from web.xml
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>
com.sun.jersey.spi.spring.container.servlet.SpringServlet
</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.harman.ctg.rest;com.wordnik.swagger.jersey.listing</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
<param-value>com.harman.ctg.rest.helper.CrossOriginResourceSharingFilter</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.DisableWADL</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>DefaultJaxrsConfig</servlet-name>
<servlet-class>com.wordnik.swagger.jaxrs.config.DefaultJaxrsConfig</servlet-class>
<init-param>
<param-name>api.version</param-name>
<param-value>1.0.0</param-value>
</init-param>
<init-param>
<param-name>swagger.api.basepath</param-name>
<param-value>http://localhost:8080/Pro_IDX_VAS_Web/api/3.0/api-docs</param-value>
</init-param>
<init-param>
<param-name>swagger.filter</param-name>
<param-value>com.harman.ctg.rest.helper.ApiAuthorizationFilterImpl</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/api/3.0/*</url-pattern>
</servlet-mapping>
<!-- Filter to secure Jersey (JAX-RS) services -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/api/3.0/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>ApiOriginFilter</filter-name>
<filter-class>com.harman.ctg.rest.helper.CrossOriginResourceSharingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ApiOriginFilter</filter-name>
<url-pattern>/api/3.0/*</url-pattern>
</filter-mapping>
I have a maven project (with web and JPA facets) in Eclipse Java EE IDE for Web Developers. I have added the jars to my tomcat library and everything compiles great.
However, my webpage header does NOT reflect what I have enabled in my web.xml through the CORS filter.
My header looks like:
And my web.xml contains:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Servlet 1: Expose the OData service endpoint -->
<servlet>
<servlet-name>OData</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<!-- all additional parameters will be passed to your factory create method -->
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.odata4j.jersey.producer.resources.ODataApplication</param-value>
</init-param>
<init-param>
<param-name>odata4j.producerfactory</param-name>
<param-value>org.odata4j.producer.jpa.JPAProducerFactory</param-value>
</init-param>
<init-param>
<param-name>odata4j.jpa.persistenceUnitName</param-name>
<param-value>Resource</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>OData</servlet-name>
<url-pattern>/example.svc/*</url-pattern>
</servlet-mapping>
<!-- Servlet 2: Enable crossdomain access for browser clients -->
<servlet>
<servlet-name>CrossDomain</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.odata4j.producer.resources.RootApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CrossDomain</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Use CORSFilter for CORS -->
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<!-- Note: All parameters are options, if ommitted CORS Filter
will fall back to the respective default values.
-->
<init-param>
<param-name>cors.allowGenericHttpRequests</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, HEAD, POST, OPTIONS, PUT, DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Content-Type, X-Requested-With, Accept, Authentication</param-value>
</init-param>
<init-param>
<param-name>cors.exposedHeaders</param-name>
<param-value>X-Test-1, X-Test-2</param-value>
</init-param>
<init-param>
<param-name>cors.supportsCredentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.maxAge</param-name>
<param-value>3600</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I fixed my headers to support CORS by implementing Padcom's CORS filter for Java application as described here.
I'm still not sure why the method I tried above didn't work...
But if you are stuck trying the method above, it is easy and work trying Padcom's method. :)
I have three different tomcat instance.
Tomcat with cas server localhost:8050
Tomcat with Jira 4.3 localhost:8080
and, finally tomcat with confluence 3.5 localhost:8070
I need to implement SSO(jira + confluence) via cas server, which connected to LDAP.
Ok, im use cas client for jira and Confluence like this https://wiki.jasig.org/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1
Now both jira and confluence correctly redirect me to Cas login page and authtorize in ldap server, thats work almost fine(have some bugs with confluence logout), but this is not SSO. If i logged in jira i still need to enter my cretentials for confluence and vice verca. I think its happend because diferent tomcat installation. When im logging in jira Cas give me a ticket for service http://localhost:8080 and another ticket for confluence(http://localhost:8070). Im really stuck with this stupid problem, and im hope somebody can direct me on right way.
My configs:
Jira.
Seraph-config.xml
<init-param>
<param-name>login.url</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl} </param-value>
</init-param>
<init-param>
<param-name>logout.url</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/logout</param-value>
</init-param>
Web xml:
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CasAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
for confluence:
seraph-config.xml :
<init-param>
<param-name>login.url</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login?service=${originalurl}</param-value>
</init-param>
web.xml:
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CasAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8070</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8050/cas-server-webapp-3.4.8/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8070</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/login.action</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
I notice above that your service is dynamic: service=${originalurl}
I think that for SSO to work you have to use the each website has to call CAS using the same service so that the TGT on the CAS server knows who is calling. Otherwise, I think you have to investigate Proxy Granting Tickets:
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
Which I understand are a means of a service saying the equivilent of "it's ok, that other service is my friend".