Environment
Situation
Web applications which
are loading NAM IDP login page or protected resources in iframes were working
fine before upgrading to NAM 4.3. After the upgrade, when accessing the application,
instead of redirecting to IDP for authentication you would get an error when
accessing using Internet explorer:
“This content cannot be displayed in a frame”.
Accessing using Chrome or Firefox, renders a blank page.
Ex: <p> <iframe
src="https://idp.microfocus.com:8443/nidp/app"
height="200" width="500" ></iframe> </p>
Resolution
If you have a single
domain from where you want to load NAM IDP login page or protected resource in
an iframe, then follow the below steps:
a.
Comment out the below
section in /var/opt/novell/tomcat/webapps/nidp/WEB-INF/web.xml
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
b.
Modify
antiClickJackingOption to add ALLOW-FROM parameter as below :
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>URI that
should be allowed/</param-value>
</init-param>
Ex:
https://app.microfocus.com:8643/
c.
Restart IDP by
executing: /etc/init.d/novell-idp restart
If you have multiple domains
from where you want to load NAM IDP login page or protected resource in an
iframe, then follow the below steps:
a.
Disable
httpHeaderSecurityFilter in /opt/novell/nids/lib/webapp/WEB-INF/web.xml by
commenting out the below section :
<!--filter>
<filter-name>
httpHeaderSecurity
</filter-name>
<filter-class>
org.apache.catalina.filters.HttpHeaderSecurityFilter
</filter-class>
<async-supported>
true
</async-supported>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536002</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>https://app.microfocus.com:8643/</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping-->
b.
Disable
httpHeaderSecurityFilter in /opt/novell/nam/idp/conf/web.xml by commenting out
the below section AND
<!--filter>
<filter-name>
httpHeaderSecurity
</filter-name>
<filter-class>
org.apache.catalina.filters.HttpHeaderSecurityFilter
</filter-class>
<async-supported>
true
</async-supported>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping-->
c.
Set SameOriginFilter
-> activate to “False” in /opt/novell/nids/lib/webapp/WEB-INF/web.xml.
<filter>
<filter-name>SameOriginFilter</filter-name>
<description>The NIDP server anti-clickjacking filter.This filter
adds 'X-FRAME-OPTIONS: SAMEORIGIN'
header to http
responses, and prevents cross domain framing of web pages as best as possible
depending on browser
compatibility.</description>
<filter-class>com.novell.nidp.servlets.filters.jsp.SameOriginFramingFilter</filter-class>
<init-param>
<param-name>activate</param-name>
<param-value>False</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
d.
Restart IDP by
executing: /etc/init.d/novell-idp restart
Cause
The configuration to prevent Clickjacking, XFS
attacks has been enabled by default in NAM 4.3 and above. This prevents NAM pages to be loaded in frames.
Additional Information
As per https://tools.ietf.org/html/rfc7034,
ALLOW-FROM doesn't support multiple domains.