Xframe option in tomcat 7

試著忘記壹切 提交于 2019-11-30 07:27:39

问题


I have added the below code snippet in my tomcat web.xml to prevent clickjacking.

In the section to add built-in filter, I have added

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>

For filter-mapping part I have added.

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

After editing and making these two changes,test page (html page where I am trying to open the target page in <frame>) passes (not able to open the target page inside frames).
But the apache welcome page gives 404 with the new changes.

Please let me know if I am missing anything.


回答1:


I also had this issue with tomcat7 and the exact same filter.

The first thing you should do is check the tomcat logs under CATALINA_BASE/logs/. Locate and open localhost.YYYY-MM-DD.log; there you should find the cause for the error.

In my log file I had this error:

SEVERE: Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter

I then found out that the HttpHeaderSecurityFilter was newly added in Tomcat Version 7.0.63 (see here) but I was running version 7.0.52 (the one that comes with Ubuntu 14.04 LTS).

I resolved the issue by installing the newest Tomcat version and now the filter works as expected.



来源:https://stackoverflow.com/questions/34991226/xframe-option-in-tomcat-7

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!