search cancel

How to configure Jasper tomcat server to protect against Clickjacking vulnerabilities

book

Article ID: 237698

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Jasper 7.1 tomcat is susceptible to Clickjacking Vulnerability

Environment

Spectrum Release: 21.2
Jasper 7.1

Resolution

JasperReports Server implements a new mechanism to protect against clickjacking attacks. To enable this mechanism, edit a configuration file.

1. Using a text editor, open the applicationContext-security-web.xml file (found in <js-install>\apache-tomcat\webapps\jasperserver-pro\WEB-INF).

2. Locate the antiClickJackingEnabled property in the webAppSecurityFilter bean, and set it to true. Setting this property to true instructs JasperReports Server to include an X-Frame-Options header in every response.

3. You can also set the antiClickJackingOption property to control the header value. Valid values are:

  •   DENY - JasperReports Server doesn't load into any iframe.
  •   SAMEORIGIN - JasperReports Server only loads into an iframe on a page in the same domain as JasperReports Server.
  •    ALLOW-FROM - JasperReports Server only loads in a frame on a page specified in antiClickJackingUri property.

4. If you set the antiClickJackingOption property to ALLOW-FROM, also be sure to set the antiClickJackingUri property to a valid URI.

5. Save the file and restart the server.

NOTE: Take a backup of applicationContext-security-web.xml file before making changes.