Clarity

Hi All,

I recently upgraded to 13.3. In SharePoint, the project managers have a link to Clarity. For instance, one of the PMs displays his task list via SharePoint. This is displayed in a frame on SharePoint. However, since the upgrade this no longer works. In the response header, I see that X-FRAME-OPTIONS are set to SAMEORIGIN. This is usually set in the web.xml, but it can be set in property, php, jsp, and other files. I have gone through our Tomcat and Clarity installations and cannot determine where this is set.

Response header below:

1. Cache-Control:no-cache, no-store, must-revalidate
2. Cache-Control:max-age=0
3. Cache-Control:post-check=0, pre-check=0
4. Content-Type:text/html;charset=UTF-8
5. Date:Thu, 24 Jul 2014 14:33:56 GMT
6. Server:
7. Set-Cookie:uiId=/niku/nu; Path=/
8. Transfer-Encoding:chunked
9. X-FRAME-OPTIONS:SAMEORIGIN
10. 
    
11. Thanks,
12. Ken
    

Hi All,

Any ideas here for Ken?

Thanks!

Chris

Ken Murphy wrote:

 

Hi All,

 

I recently upgraded to 13.3. In SharePoint, the project managers have a link to Clarity. For instance, one of the PMs displays his task list via SharePoint. This is displayed in a frame on SharePoint. However, since the upgrade this no longer works. In the response header, I see that X-FRAME-OPTIONS are set to SAMEORIGIN. This is usually set in the web.xml, but it can be set in property, php, jsp, and other files. I have gone through our Tomcat and Clarity installations and cannot determine where this is set.

 

Response header below:

 

1. Cache-Control:no-cache, no-store, must-revalidate
2. Cache-Control:max-age=0
3. Cache-Control:post-check=0, pre-check=0
4. Content-Type:text/html;charset=UTF-8
5. Date:Thu, 24 Jul 2014 14:33:56 GMT
6. Server:
7. Set-Cookie:uiId=/niku/nu; Path=/
8. Transfer-Encoding:chunked
9. X-FRAME-OPTIONS:SAMEORIGIN
10. 
    
11. Thanks,
12. Ken
    

Was able to get an answer from Support:

The Property X-FRAME-OPTIONS  that was introduced as part of the issue CLRT-72085(in 13.3) to address the ClickJacking attacks and this is working as per design.

If the customer does not want this property in response headers, you can disable this property by defining a property  useXframeOptions  in properties.xml as below,

<webServer capaUrl="" tenantTimeout="1440" sslType="implied"> <webServerInstance id="app" entryUrl="http://localhost"

sslEntryUrl="https://localhost:8043" port="80" enablePort="true"

sslPort="8043" enableSSLPort="false"

connectorPort="8009" context="/niku" documentRoot=""

useXframeOptions="false"/>

<webServerInstance id="nsa" entryUrl="http://localhost:8090"

sslEntryUrl="https://localhost:8093" port="8090" enablePort="true"

sslPort="8093" enableSSLPort="false"

connectorPort="8109" context="/niku" documentRoot=""

useXframeOptions="false"/>

</webServer>

Note: Please note that by disabling this feature customer may get vulnerable attacks.

The Clarity site is only accessible within our network, so we feel comfortable with this solution. However, those who allow outside access may not want use this as a solution.

Hello,

Thanks for the info !

By the way, you can see the property useXframeOptions in definition file $NIKU_HOME/xsd/properties-2002-02.xsd :

<xsd:complexType name="webServerInstanceType">...<xsd:attribute name="useXframeOptions" type="xsd:boolean" use="optional" default="true"/>...</xsd:complexType>

I have just tested it on my version (15.3.0.2) but the trick does not seem to work anymore.

The header parameter is always written on file $NIKU_HOME/tomcat-app-deploy/conf/web.xml :

<filter id="httpHeaderSecurityFilter">
 <filter-name>httpHeaderSecurityFilter</filter-name>
 <filter-class>com.niku.union.web.filter.ResponseHeaders</filter-class>
 <init-param id="httpHeaderSecurityFilterInitParam">
 <param-name>header</param-name>
 <param-value>X-FRAME-OPTIONS</param-value>
 </init-param>
 <init-param id="httpHeaderSecurityFilterInitParam2">
 <param-name>value</param-name>
 <param-value>SAMEORIGIN</param-value>
 </init-param>
 </filter>

As a workaround, I edited the following file : $NIKU_HOME/.setup/scripts/j2ee/tomcat/deploy.xml

And replaced the part with X-Frame Parameter as followed :

 <apply parent="/j2ee:web-app/j2ee:filter[@id = 'httpHeaderSecurityFilter']">
 <element name="filter-name" select="j2ee:filter-name">httpHeaderSecurityFilter</element>
 <element name="filter-class" select="j2ee:filter-class[text() = 'com.niku.union.web.filter.ResponseHeaders']">com.niku.union.web.filter.ResponseHeaders</element>
 <!--
 <element name="init-param" select="j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam']">
 <attribute name="id" value="httpHeaderSecurityFilterInitParam"/>
 </element>
 <element name="init-param" select="j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam2']">
 <attribute name="id" value="httpHeaderSecurityFilterInitParam2"/>
 </element>
 -->
 </apply>
 <!--
 <apply parent="/j2ee:web-app/j2ee:filter/j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam']">
 <element name="param-name">header</element>
 <element name="param-value">X-FRAME-OPTIONS</element>
 </apply>
 <apply parent="/j2ee:web-app/j2ee:filter/j2ee:init-param[@id = 'httpHeaderSecurityFilterInitParam2']">
 <element name="param-name">value</element>
 <element name="param-value">SAMEORIGIN</element>
 </apply>
 -->

The page header before change on CA PPM app service was :

Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: max-age=0
Cache-Control: post-check=0, pre-check=0
Content-Encoding: gzip
Content-Length: 354
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Oct 2018 10:00:19 GMT
Server: CA PPM
X-FRAME-OPTIONS: SAMEORIGIN

After change :

Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: max-age=0
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Encoding: gzip
Content-Length: 354
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Oct 2018 13:28:05 GMT
Server: CA PPM

Regards,

David

PS : I find it a bit disappointing there is no checkbox on the CSA for this feature