How to set X-Frame-Options on the portal rest-api (V7.2.11)

shazzababs · December 13, 2021, 2:27pm

Hi there,

We have a CUBA Application that contains a legacy ‘portal’ rest API.

When we upgraded the application to V7.2.11 (from v6) the X-Frame-Options switched from ‘SAME-ORIGIN’ to ‘DENY’.

Previously we used to set the parameter in the server.xml file, but this setting is no longer available.

We have tried multiple options to change the parameter, including the solution suggested here in the portal spring dispatcher: How to modify X-Frame-Options value for idp pages?

Everything we do either gets overridden by the built-in Spring Security settings or breaks the Rest API entirely.

Can you shed any light on how this can be done?

Thanks

Sharon

albudarov · December 14, 2021, 7:29am

Hi,
Can you describe more, what is a “legacy portal rest API” ?
If you prepare a small sample project where the problem is reproduced, it will be much easier to look for a solution.

shazzababs · December 14, 2021, 8:15am

Hi Alexander,

It’s an instance of the Rest API add-in from when it was first introduced. They were all called ‘portal’ back then.

I can’t create a new project because I no longer have the old version of CUBA installed on my laptop and the one with the issue is huge.

However, I can send you copies of our configuration settings.

This is what is in portal-app.properties

###############################################################################

Configuration

###############################################################################

cuba.springContextConfig = +com/ekm4/taas/portal-security-spring.xml com/ekm4/taas/portal-spring.xml

cuba.dispatcherSpringContextConfig = +com/ekm4/taas/portal-dispatcher-spring.xml
cuba.persistenceConfig = +com/ekm4/taas/persistence.xml
cuba.metadataConfig = +com/ekm4/taas/metadata.xml
cuba.viewsConfig = +com/ekm4/taas/views.xml

cuba.rest.servicesConfig = +com/ekm4/taas/rest-services.xml
cuba.rest.queriesConfig = +com/ekm4/taas/rest-queries.xml

cuba.restSpringContextConfig = +com/ekm4/taas/rest-dispatcher-spring.xml
cuba.mainMessagePack = +com.ekm4.taas.portal
cuba.portal.theme = default

cuba.portal.anonymousUserLogin = admin
cuba.trustedClientPassword = deprecated
cuba.anonymousSessionId = deprecated

###############################################################################

Names and Directories

###############################################################################

Middleware connection

cuba.connectionUrlList = http://localhost:8080/app-core

Set to false if the middleware works on different JVM

cuba.useLocalServiceInvocation = true

URL

cuba.webContextName = app-portal
cuba.availableLocales = English|en
cuba.localeSelectVisible = false
cuba.restApiUrl = http://localhost:8080/app-portal/api
cuba.webAppUrl = http://localhost:8080/app
cuba.webPort = 8080

Rest API Login security

cuba.rest.client.id = deprecated
cuba.rest.client.secret = {noop}deprecated
cuba.rest.responseView=false
cuba.rest.responseViewEnabled=false
cuba.rest.securityScope=GENERIC_UI

cuba.rest.optimisticLockingEnabled = true

Attached is portal-dispatcher-spring.xml. The HTTP block in there is one of several manifestations we have tried and none of them has had any effect

portal-dispatcher-spring.xml (760 Bytes)
portal-security-spring.xml (863 Bytes) .

albudarov · December 15, 2021, 6:43am

I think it will work if you add the XML snippet mentioned in this answer: java - How to disable 'X-Frame-Options' response header in Spring Security? - Stack Overflow

<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>

to one of files: com/ekm4/taas/portal-security-spring.xml , or com/ekm4/taas/portal-spring.xml or com/ekm4/taas/portal-dispatcher-spring.xml or com/ekm4/taas/rest-dispatcher-spring.xml

I am not sure I understand. You are saying it worked with the old CUBA, and you are having problems with the new CUBA version. New CUBA version should be available, right?

shazzababs · January 7, 2022, 1:33pm

Hi we fixed it.

It needed a few more settings in the portal-dispatcher-spring.xml to the example.

Thanks for the help.

Sharon

Here is the final version in case it can help someone else:

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:sec="http://www.springframework.org/schema/security">
    <mvc:annotation-driven/>
    <mvc:view-controller path="/maintain"/>
    <context:component-scan base-package="com.ekm4.application.portal.controllers"/>
    <context:component-scan base-package="com.haulmont.cuba.restapi"/>
    <!-- Static resources -->
    <mvc:resources mapping="/**" location="/application/" cache-period="0"/>
    <sec:http auto-config="true" pattern="/rest/v2/files/**">
         <sec:headers>
             <sec:frame-options policy="SAMEORIGIN"/>
         </sec:headers>
        <sec:csrf disabled="true"/>
    </sec:http>
</beans>