Howto disable Cross-Frame Scripting (XFS) for the NetIQ Access Manager NIDP Server

  • 7017543
  • 27-Apr-2016
  • 28-Mar-2018


  • NetIQ Access Manager 4.1
  • NetIQ Access Manager 4.2


  • calling the NIDP portal / login page from within an HTML iframe is possible with the default NIDP server configuration

  • In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response defined by rfc7034


  • ssh into your nidp server
  • modify the: "/opt/novell/nids/lib/webapp/WEB-INF/web.xml" using the editor of your choice.

  • add the following tomcat filter configuration below any existing filter configurations


  • Also modify /opt/novell/nam/idp/conf/web.xml and remove same filter as above (if present)

  • restart your nidp service using "/etc/init.d/novell-idp restart"

  • Use a browser header trace tool in order to check if the required "X-Frame-Options" header has been added

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Strict-Transport-Security: max-age=0
    X-Frame-Options: SAMEORIGIN
    x-content-type-options: nosniff
    via-ESP: null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8, null,NIDPLOGGING.600105004 session33-C62485D33E58AD05D6F80C470E6A31D8,NIDPLOGGING.600105002 session220-C62485D33E58AD05D6F80C470E6A31D8
    Cache-Control: max-age=0
    Expires: Wed, 27 Apr 2016 13:12:43 GMT
    Content-Type: text/html;charset=ISO-8859-1
    Content-Length: 863
    Date: Wed, 27 Apr 2016 13:12:43 GMT

Additional Information

  • The "org.apache.catalina.filters.HttpHeaderSecurityFilter" filter class (will be shipped with Apache Tomcat
  • Further information about how to use this "HTTP Header Security Filter" can be found at the Apache web web.xml configuration docs.