Issue on Ofbiz in Iframe

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue on Ofbiz in Iframe

amalesh paul
Hello,
        My name is Amalesh, I am using Apache ofbiz 16 version in my
project. For that I imported running ofbiz in to my project through Iframe.
It is not working, when I debug the browser could not able to display the
url because it set 'X-Frame-Options' to 'sameorigin'.
        Now I want to remove the x-frame-options from ofbiz, how can I
change the x-frame-options. Or else is there any other way to bring the
ofbiz in to Iframe.
        Please let me know the solution for the above problem.

Thank You.

--

*Warm Regards,*
*Amalesh.R*
*9677843593.*
Reply | Threaded
Open this post in threaded view
|

Re: Issue on Ofbiz in Iframe

taher
Hi Amalesh,

What do you mean by "I imported running ofbiz in to my project through
Iframe"? I'm not sure I understand what you're referring to?

Cheers,

Taher Alkhateeb

On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]>
wrote:

> Hello,
>         My name is Amalesh, I am using Apache ofbiz 16 version in my
> project. For that I imported running ofbiz in to my project through Iframe.
> It is not working, when I debug the browser could not able to display the
> url because it set 'X-Frame-Options' to 'sameorigin'.
>         Now I want to remove the x-frame-options from ofbiz, how can I
> change the x-frame-options. Or else is there any other way to bring the
> ofbiz in to Iframe.
>         Please let me know the solution for the above problem.
>
> Thank You.
>
> --
>
> *Warm Regards,*
> *Amalesh.R*
> *9677843593.*
>
Reply | Threaded
Open this post in threaded view
|

Re: Issue on Ofbiz in Iframe

Shubham Agrawal
Hii Amalesh,

X-Frame-Options is a security implementation which is inserted by the
server in response header. This response header avoids any browser to
render a page in HTML tags like <iframe>.

According to you, the X-Frame-Options is set to SameOrigin. For your case
to work, I think you can change it to ALLOW-FROM https://website-name.com

To change the X-Frame-Options in OFBiz:

1) Traverse to this file
/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

2) Search for sameorigin.

3) Replace sameorigin with ALLOW-FROM https://website-name.com



P.S. - It is not allowed to follow such practice due to security concerns.
You should look for some other way to fulfil your task. Using Iframe is
also not recommended as you are showing the content from the other website
which makes it vulnerable to ClickJacking attacks.

*Thanks and Regards,*
*Shubham Agrawal*
*Enterprise Software Engineer*
*Hotwax Systems Pvt Ltd*

On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <[hidden email]
> wrote:

> Hi Amalesh,
>
> What do you mean by "I imported running ofbiz in to my project through
> Iframe"? I'm not sure I understand what you're referring to?
>
> Cheers,
>
> Taher Alkhateeb
>
> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]>
> wrote:
>
> > Hello,
> >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > project. For that I imported running ofbiz in to my project through
> Iframe.
> > It is not working, when I debug the browser could not able to display the
> > url because it set 'X-Frame-Options' to 'sameorigin'.
> >         Now I want to remove the x-frame-options from ofbiz, how can I
> > change the x-frame-options. Or else is there any other way to bring the
> > ofbiz in to Iframe.
> >         Please let me know the solution for the above problem.
> >
> > Thank You.
> >
> > --
> >
> > *Warm Regards,*
> > *Amalesh.R*
> > *9677843593.*
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Issue on Ofbiz in Iframe

Deepak Dixit-3
Hi Amalesh,

If you want to render some specific view to iframe then you can set the
x-frame-options in view mapping as well.

Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com

On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
[hidden email]> wrote:

> Hii Amalesh,
>
> X-Frame-Options is a security implementation which is inserted by the
> server in response header. This response header avoids any browser to
> render a page in HTML tags like <iframe>.
>
> According to you, the X-Frame-Options is set to SameOrigin. For your case
> to work, I think you can change it to ALLOW-FROM https://website-name.com
>
> To change the X-Frame-Options in OFBiz:
>
> 1) Traverse to this file
> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> control/RequestHandler.java
>
> 2) Search for sameorigin.
>
> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>
>
>
> P.S. - It is not allowed to follow such practice due to security concerns.
> You should look for some other way to fulfil your task. Using Iframe is
> also not recommended as you are showing the content from the other website
> which makes it vulnerable to ClickJacking attacks.
>
> *Thanks and Regards,*
> *Shubham Agrawal*
> *Enterprise Software Engineer*
> *Hotwax Systems Pvt Ltd*
>
> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> [hidden email]
> > wrote:
>
> > Hi Amalesh,
> >
> > What do you mean by "I imported running ofbiz in to my project through
> > Iframe"? I'm not sure I understand what you're referring to?
> >
> > Cheers,
> >
> > Taher Alkhateeb
> >
> > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]>
> > wrote:
> >
> > > Hello,
> > >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > project. For that I imported running ofbiz in to my project through
> > Iframe.
> > > It is not working, when I debug the browser could not able to display
> the
> > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > >         Now I want to remove the x-frame-options from ofbiz, how can I
> > > change the x-frame-options. Or else is there any other way to bring the
> > > ofbiz in to Iframe.
> > >         Please let me know the solution for the above problem.
> > >
> > > Thank You.
> > >
> > > --
> > >
> > > *Warm Regards,*
> > > *Amalesh.R*
> > > *9677843593.*
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Issue on Ofbiz in Iframe

Aditya Sharma
Hi Amalesh,

You can also set it in web.xml file of your component as Apache Tomcat has
already provided the support for that.

Just add *HttpHeaderSecurityFilter* and then you can set these options as
param.

<filter>
    <display-name>HttpHeaderSecurityFilter</display-name>
    <filter-name>HttpHeaderSecurityFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>



Refer

https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html





Thanks & Regards,
Aditya Sharma
Enterprise Software Engineer
HotWax Systems Pvt. Ltd.
http://www.hotwaxsystems.com/

On Wed, Apr 12, 2017 at 4:53 PM, Deepak Dixit <
[hidden email]> wrote:

> Hi Amalesh,
>
> If you want to render some specific view to iframe then you can set the
> x-frame-options in view mapping as well.
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
>
> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
> [hidden email]> wrote:
>
> > Hii Amalesh,
> >
> > X-Frame-Options is a security implementation which is inserted by the
> > server in response header. This response header avoids any browser to
> > render a page in HTML tags like <iframe>.
> >
> > According to you, the X-Frame-Options is set to SameOrigin. For your case
> > to work, I think you can change it to ALLOW-FROM
> https://website-name.com
> >
> > To change the X-Frame-Options in OFBiz:
> >
> > 1) Traverse to this file
> > /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> > control/RequestHandler.java
> >
> > 2) Search for sameorigin.
> >
> > 3) Replace sameorigin with ALLOW-FROM https://website-name.com
> >
> >
> >
> > P.S. - It is not allowed to follow such practice due to security
> concerns.
> > You should look for some other way to fulfil your task. Using Iframe is
> > also not recommended as you are showing the content from the other
> website
> > which makes it vulnerable to ClickJacking attacks.
> >
> > *Thanks and Regards,*
> > *Shubham Agrawal*
> > *Enterprise Software Engineer*
> > *Hotwax Systems Pvt Ltd*
> >
> > On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> > [hidden email]
> > > wrote:
> >
> > > Hi Amalesh,
> > >
> > > What do you mean by "I imported running ofbiz in to my project through
> > > Iframe"? I'm not sure I understand what you're referring to?
> > >
> > > Cheers,
> > >
> > > Taher Alkhateeb
> > >
> > > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]
> >
> > > wrote:
> > >
> > > > Hello,
> > > >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > > project. For that I imported running ofbiz in to my project through
> > > Iframe.
> > > > It is not working, when I debug the browser could not able to display
> > the
> > > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > > >         Now I want to remove the x-frame-options from ofbiz, how can
> I
> > > > change the x-frame-options. Or else is there any other way to bring
> the
> > > > ofbiz in to Iframe.
> > > >         Please let me know the solution for the above problem.
> > > >
> > > > Thank You.
> > > >
> > > > --
> > > >
> > > > *Warm Regards,*
> > > > *Amalesh.R*
> > > > *9677843593.*
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Issue on Ofbiz in Iframe

Jacques Le Roux
Administrator
Hi Amalesh

You might also be interested by

https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers

and

https://issues.apache.org/jira/browse/OFBIZ-6766

But please remember to rather use the user ML for such questions, see why here http://ofbiz.apache.org/mailing-lists.html
You will get a better support and it's more fair to share with everybody

The wider the audience the better the answers you might get

Thanks

Jacques


Le 26/04/2017 à 06:09, Aditya Sharma a écrit :

> Hi Amalesh,
>
> You can also set it in web.xml file of your component as Apache Tomcat has
> already provided the support for that.
>
> Just add *HttpHeaderSecurityFilter* and then you can set these options as
> param.
>
> <filter>
>      <display-name>HttpHeaderSecurityFilter</display-name>
>      <filter-name>HttpHeaderSecurityFilter</filter-name>
>      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
>      <init-param>
>          <param-name>antiClickJackingOption</param-name>
>          <param-value>SAMEORIGIN</param-value>
>      </init-param>
> </filter>
>
>
>
> Refer
>
> https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html
>
>
>
>
>
> Thanks & Regards,
> Aditya Sharma
> Enterprise Software Engineer
> HotWax Systems Pvt. Ltd.
> http://www.hotwaxsystems.com/
>
> On Wed, Apr 12, 2017 at 4:53 PM, Deepak Dixit <
> [hidden email]> wrote:
>
>> Hi Amalesh,
>>
>> If you want to render some specific view to iframe then you can set the
>> x-frame-options in view mapping as well.
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwaxsystems.com
>>
>> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
>> [hidden email]> wrote:
>>
>>> Hii Amalesh,
>>>
>>> X-Frame-Options is a security implementation which is inserted by the
>>> server in response header. This response header avoids any browser to
>>> render a page in HTML tags like <iframe>.
>>>
>>> According to you, the X-Frame-Options is set to SameOrigin. For your case
>>> to work, I think you can change it to ALLOW-FROM
>> https://website-name.com
>>> To change the X-Frame-Options in OFBiz:
>>>
>>> 1) Traverse to this file
>>> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
>>> control/RequestHandler.java
>>>
>>> 2) Search for sameorigin.
>>>
>>> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>>>
>>>
>>>
>>> P.S. - It is not allowed to follow such practice due to security
>> concerns.
>>> You should look for some other way to fulfil your task. Using Iframe is
>>> also not recommended as you are showing the content from the other
>> website
>>> which makes it vulnerable to ClickJacking attacks.
>>>
>>> *Thanks and Regards,*
>>> *Shubham Agrawal*
>>> *Enterprise Software Engineer*
>>> *Hotwax Systems Pvt Ltd*
>>>
>>> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
>>> [hidden email]
>>>> wrote:
>>>> Hi Amalesh,
>>>>
>>>> What do you mean by "I imported running ofbiz in to my project through
>>>> Iframe"? I'm not sure I understand what you're referring to?
>>>>
>>>> Cheers,
>>>>
>>>> Taher Alkhateeb
>>>>
>>>> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>          My name is Amalesh, I am using Apache ofbiz 16 version in my
>>>>> project. For that I imported running ofbiz in to my project through
>>>> Iframe.
>>>>> It is not working, when I debug the browser could not able to display
>>> the
>>>>> url because it set 'X-Frame-Options' to 'sameorigin'.
>>>>>          Now I want to remove the x-frame-options from ofbiz, how can
>> I
>>>>> change the x-frame-options. Or else is there any other way to bring
>> the
>>>>> ofbiz in to Iframe.
>>>>>          Please let me know the solution for the above problem.
>>>>>
>>>>> Thank You.
>>>>>
>>>>> --
>>>>>
>>>>> *Warm Regards,*
>>>>> *Amalesh.R*
>>>>> *9677843593.*
>>>>>