Disable Cross-Frame Scripting (XFS) for pages delivered by the Access Gateway Embedded Service Provider ( nesp )

  • 7017550
  • 28-Apr-2016
  • 02-May-2016

Environment

  • NetIQ Access Manager 4.1
  • NetIQ Access Manager 4.2

Situation

  • calling pages delivered by the NESP server  from within an HTML iframe is possible with the default NIDP server configuration

  • Note: this has usually a very low impact as the delivered pages are not used for the user login process. In most of the cases they are only getting used for reporting error messages

  • In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response header.as defined by rfc7034

Resolution

There are two option which allow to add a solution for the Access Gateway

  1. - ssh into your Access Gateway server
    - modify the: "/opt/novell/nesp/lib/webapp/WEB-INF/web.xml using the editor of your choice
    - add the following tomcat filter configuration below any existing filter configurations

    <filter>

        <filter-name>TomcatSameOriginFilter</filter-name>

        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

        <init-param>

            <param-name>antiClickJackingOption</param-name>

            <param-value>SAMEORIGIN</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>TomcatSameOriginFilter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

    - restart your embedded service provider: "/etc/init.d/novell-mag restart"

  2. Use the Apache "mod_header" module to add the required header

    • open the  "/etc/opt/novell/apache2/conf/httpd.conf" on your Access Gateway with an editor of you choice
    • remove the "#" in front of "LoadModule headers_module libexec/mod_headers.so" in order to enable loading the module
    • Add the following Apache directived from with iManager on your global "Advanced Options" menu

      <LocationMatch "/nesp">
         Header always append X-Frame-Options SAMEORIGIN
      </LocationMatch>

Additional Information

The HttpHeaderSecurityFilter class has been added to Tomcat Version 7.0.63. Any previous versions of tomcat are not shipped with this filter

Feedback service temporarily unavailable. For content questions or problems, please contact Support.