0

I have a Spring MVC app, deployed to Apache Tomcat. One of the pages must show PDF file generated with itext pdf library.

So I've added object tag to JSP file:

<object data="<c:url value="/view-pdf" />"></object>

And I have method inside controller that handles this URL:

@RequestMapping(value = "/view-pdf", method = RequestMethod.GET)
protected void viewPdf(HttpServletResponse response) {

    ServletOutputStream out = response.getOutputStream();

    //generate pdf here
    Document document = new Document();
    PdfWriter.getInstance(document, out);
    document.setPageSize(PageSize.A4);
    document.open();
    document.add(new Paragraph("Hello, World"));
    document.close();

    out.close();    
}

Now, when I open the page where PDF should be shown it doesn't show PDF file. Chrome console displays this error:

Refused to display 'http://localhost:8080/MyApp/view-file' in a frame because it set 'X-Frame-Options' to 'deny'.

And it is possible to access the PDF when typing http://localhost:8080/MyApp/view-pdf URL directly in the address bar. So there is no problems with PDF generation.

Some answers here suggested adding these lines to the web.xml file:

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>ALLOW-FROM</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingUri</param-name>
            <param-value>http://localhost:8080/MyApp/*</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

I did so, but no effect at all. What am I doing wrong here? How to avoid this error?

My Spring version is 5.0.4.RELEASE, Tomcat version is 8.0.48.

saidfagan
  • 841
  • 2
  • 9
  • 26

2 Answers2

1

At issue is the 'X-Frame-Options' response header in Spring security. Check your spring security config -because by default it’s set to deny for security reasons - see the below link for options to supply.

How to disable 'X-Frame-Options' response header in Spring Security?

salah-1
  • 1,299
  • 11
  • 15
0

what about changing the viewPdf Method to this:

@RequestMapping(value = "/view-pdf", method = RequestMethod.GET)
protected void viewPdf(HttpServletResponse response) {

    ServletOutputStream out = response.getOutputStream();
    // The next line could fix your problem
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    //generate pdf here
    Document document = new Document();
    PdfWriter.getInstance(document, out);
    document.setPageSize(PageSize.A4);
    document.open();
    document.add(new Paragraph("Hello, World"));
    document.close();

    out.close();    
}
  • perhaps you have to set the X-Frame-Options header in the method, that leads the user to the js with the ``-Tag –  Apr 03 '18 at 07:39
  • It didn't work, unfortunately. I can see X-Frame-Options options header set to SAMEORIGIN in Chrome DevTools. But it still gives the same error. – saidfagan Apr 03 '18 at 08:51
  • And I've tried showing PDF in an empty demo application. Got no errors. So it looks like there is a problem with apps configuration. I will try to dig deeper. – saidfagan Apr 03 '18 at 08:53