Environment
- NetIQ Access Manager 4.1
- NetIQ Access Manager 4.2
Situation
- calling pages delivered by the NESP server from within an HTML iframe is possible with the default NIDP server configuration
- Note: this has usually a very low impact as the delivered pages are not used for the user login process. In most of the cases they are only getting used for reporting error messages
- In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response header.as defined by rfc7034
Resolution
There are two option which allow to add a solution for the Access Gateway
- - ssh into your Access Gateway server
- modify the: "/opt/novell/nesp/lib/webapp/WEB-INF/web.xml using the editor of your choice
- add the following tomcat filter configuration below any existing filter configurations
<filter>
<filter-name>TomcatSameOriginFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TomcatSameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- restart your embedded service provider: "/etc/init.d/novell-mag restart" - Use the Apache "mod_header" module to add the required header
- open the "/etc/opt/novell/apache2/conf/httpd.conf" on your Access Gateway with an editor of you choice
- remove the "#" in front of "LoadModule headers_module libexec/mod_headers.so" in order to enable loading the module
- Add the following Apache directived from with iManager on your global "Advanced Options" menu
<LocationMatch "/nesp">
Header always append X-Frame-Options SAMEORIGIN
</LocationMatch>
Additional Information
The HttpHeaderSecurityFilter class has been added to Tomcat Version 7.0.63. Any previous versions of tomcat are not shipped with this filter