Embed bonita page in an iframe

1
+1
-1

I'm trying to embed a bonita workflow in an iFrame but the server is refusing because X-Frame-Options is set to 'SAMEORIGIN'.

I've developed a custom frontend that incorporates bonita flow in an iframe. They are running on the same host but the port is different (:5000 and :8080).

The X-Frame-Options was not a problem when developing and launching bonita process through bonita studio but, I'm trying now to deploy it in JBoss (I'm using JBoss bundle provided by bonitasoft) and I'm getting this error.

I've tried to add the header in JBoss but it only got worst because of a duplicate header and the browser falls back to 'DENY'.

Can anyone tell me where is this header set and to override / delete it?

Also thought of using nginx to override this request but I don't know if is possible.

Thank you

1 answer

1
+1
-1
This one is the BEST answer!

Hi henriqg,

This behaviour is due to new security enforcement implementations that we are putting in place in our product. For instance, the X-Frame-Options is set to SAMEORIGIN in order to avoid clickjaking attacks. There is a way to deactivate this check, it is in the web.xml file in where we specify all our filters.

Be careful: by deactivating this filter you will also loose three more security HTTP headers: X-XSS-Protection, X-WebKit-CSP, X-Content-Type-Options ( each of them related to a specific security threat ).

For a jbos bundle you can find it under *server\default\deploy\bonita-all-in-one-6.3.0-SNAPSHOT.ear\bonita.war\WEB-INF* And it is enough to comment-out the section:

<filter>
        <filter-name>SecurityFilter</filter-name>
        ...
    </filter>

Re-start the bundle and it will work.

Let us know if it is ok and keep in mind that you will certainly be more exposed to certain kind of web threats.

UPDATE: as well noticed by henriqg, it is important to comment-out also the filter mapping part:

   <filter-mapping>
        <filter-name>SecurityFilter</filter-name>
        <url-pattern>/portal/homepage</url-pattern>
        <url-pattern>/login.jsp</url-pattern>
    </filter-mapping>

Cheers

Comments

Submitted by henriqg on Wed, 04/16/2014 - 18:57

Hi,

Yup, that did the trick. That filter also appeared in other place in web.xml ( /login ) and had to comment it also. I understand the security issue involved in doing this but it will be run in-house and, in prod environment, bonita will be in the same host / port so... This is just for testing :)

Thank you

Submitted by jack.a.rider on Mon, 05/26/2014 - 12:33

Thanks, this save my day.

Submitted by rmorrise on Tue, 12/09/2014 - 22:13

Fabio,

Thanks for this answer. Is it possible to add an enhancement to make the X-Frame-Options header customizable so that we don't lose the other functionality that you mentioned here? We would like to be able to use an ALLOW-FROM value for this header. Currently, it looks like we will need a rule to modify the response header in a proxying server if we want this behavior.

Submitted by fabio.lombardi on Wed, 12/10/2014 - 12:00

Hi rmorrise,

Thanks for your suggestion and I can confirm you that it is a point that we have already discussed internally. We will try to improve the filter according to our priorities. Stay tuned.

Submitted by ansoumana.cisse on Tue, 07/21/2015 - 16:58

Hi , am trying to persist my custum page on bonita portail. but when i stop my bonita engine i lost all the custom profiles which i had create. how can i resolve this issues? cheers

Notifications