Axon.ivy 7.0 - the Digital Business Platform - is out now...

I'd like to embedd some Axon.ivy workflow screens, such as a tasklist, in my existing WebApplication. My idea was to use an iframe. How can I do this in a secure way?

asked 17.11 at 07:23

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
930445976
accept rate: 75%


Secure Headers

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the [designerORengine]/webapps/ivy/WEB-INF/web.xml.

default config

Where to configure secure headers

Security headers are normally configured on a front-end webserver such as NginX or IIS. The policies are the enforcedby the webBrowser of the client (at least on modern browsers). We definitively recommend to set headers such as the Content-Security-Policy or X-Frame-Options on a front-end webserver - not on the embedded ivy Tomcat. However. This tutorial tells you how to deal with this headers if you do not have a front-end webserver.


Allow a single domain access

To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows:

<init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
    <param-name>antiClickJackingUri</param-name>
    <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value>
</init-param>

This will set the HTTP response header X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com.

Enable the content-security-policy

Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. chromeIgnoreXFrameOpts

To restrict it for modern Browsers the HTTP response header Content-Security-Policy has to be set as well. This can be achieved with a ContentSecurityPolicyFilter. Copy the JAR with this filter into [designerORengine]/webapps/ivy/WEB-INF/lib. Afterwards the filter can be added and configured in the web.xml.

<filter-mapping> 
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
   <init-param>
       <param-name>report-only</param-name>
       <param-value>false</param-value>
    </init-param>
    <init-param>
       <param-name>default-src</param-name>
       <param-value>'self' 'unsafe-inline'</param-value>
    </init-param>
   <init-param>
       <param-name>frame-ancestors</param-name>
       <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value>
    </init-param>
</filter>

Verify the solution

Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header Content-Disposition-Policy: frame-ancestors https://myParentDomain.com should be visible. cspBlockFirefoxcspBlockChrome

Full Web.xml:

<filter-mapping>
    <filter-name>httpSecurityHeaders</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
    <filter-name>httpSecurityHeaders</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>blockContentTypeSniffingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>xssProtectionEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>


<filter-mapping> 
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
   <init-param>
       <param-name>report-only</param-name>
       <param-value>false</param-value>
    </init-param>
    <init-param>
       <param-name>default-src</param-name>
       <param-value>'self' 'unsafe-inline'</param-value>
    </init-param>
   <init-param>
       <param-name>frame-ancestors</param-name>
       <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value>
    </init-param>
</filter>
link

answered 17.11 at 07:23

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
6.0k11035
accept rate: 69%

edited 20.11 at 06:29

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×63
×11

Asked: 17.11 at 07:23

Seen: 68 times

Last updated: 20.11 at 06:29