0

Currently, I'm working on a vaadin project where I'm working on preventing clickjacking attack on the project. After searching for the solution I've found that adding following snippet in web.xml would work:

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>
<filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>

I've added following dependency in pom.xml:

<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-catalina</artifactId>
    <version>9.0.2</version>
</dependency>

I'm running the project on payara server.

The project runs but throw the following error:

Caused by: java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter not found by org.glassfish.main.web.core [69] at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1532) at org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:75) at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1955) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.catalina.core.ApplicationFilterConfig.loadFilterClass(ApplicationFilterConfig.java:283) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:253) at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:123) ... 50 more

Which means my solution for preventing clickjacking attack won't work :)

Any help will be appreciated :).

CodeMatrix
  • 2,124
  • 1
  • 18
  • 30
Farhan Nazmul
  • 51
  • 9
  • For me it looks like you mix Tomcat and Glassfish, probably this won't work together – André Schild Dec 08 '17 at 17:36
  • There's at least two ways of doing this with vaadin. We have tested both and use currently apache configuration. Please see https://stackoverflow.com/questions/45321503/preventing-clickjacking-attack-by-vaadin – Jukka Nikki Dec 09 '17 at 10:35
  • Yeap I found it before, but just thinking if it would be possible wtih some configuration in web.xml :) . Btw what is the solution using apache configuration? – Farhan Nazmul Dec 11 '17 at 11:09

1 Answers1

0

I've solved this in the following way using web.xml:

First created the following filter:

public class ClickjackingPreventionFilter implements Filter
{
    private String mode = "DENY";

// Add X-FRAME-OPTIONS response header to tell any other browsers who   not to display this //content in a frame.
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }
    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
}

Then configured that into web.xml like the following:

<filter>
    <filter-name>ClickjackPreventionFilterDeny</filter-name>
    <filter-class>com.groupbuilder.preventclickjacking.ClickjackingPreventionFilter</filter-class>
    <init-param>
        <param-name>mode</param-name><param-value>DENY</param-value></init-param>
</filter>
<filter-mapping>
        <filter-name>ClickjackPreventionFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
Farhan Nazmul
  • 51
  • 9