Environment
- NetIQ Access Manager 4.1
- NetIQ Access Manager 4.2
Situation
- calling the NIDP portal / login page from within an HTML iframe is possible with the default NIDP server configuration
- In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response header.as defined by rfc7034
Resolution
- ssh into your nidp server
- modify the: "/opt/novell/nids/lib/webapp/WEB-INF/web.xml" using the editor of your choice.
- add the following tomcat filter configuration below any existing filter configurations
<filter>
<filter-name>TomcatSameOriginFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TomcatSameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> - Also modify /opt/novell/nam/idp/conf/web.xml and remove same filter as above (if present)
- restart your nidp service using "/etc/init.d/novell-idp restart"
- Use a browser header trace tool in order to check if the required "X-Frame-Options" header has been added
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
x-content-type-options: nosniff
via-ESP: null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8, null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8,NIDPLOGGING.600105002 session220-C62485D33E58AD05D6F80C470E6A31D8
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2016 13:12:43 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 863
Date: Wed, 27 Apr 2016 13:12:43 GMT
Additional Information
- The "org.apache.catalina.filters.HttpHeaderSecurityFilter" filter class (will be shipped with Apache Tomcat
. - Further information about how to use this "HTTP Header Security Filter" can be found at the Apache web web.xml configuration docs.