Bug 1221096

Summary: org.uberfire.ext.security.server.SecureHeadersFilter missing in web-exec-server.xml
Product: [Retired] JBoss BPMS Platform 6 Reporter: Martin Weiler <mweiler>
Component: Business CentralAssignee: Alexandre Porcelli <porcelli>
Status: CLOSED EOL QA Contact: Radovan Synek <rsynek>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.0CC: manstis
Target Milestone: DR1   
Target Release: 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:11:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Weiler 2015-05-13 09:35:04 UTC 
Description of problem:
To prevent Cross Frame Scripting (XFS) attacks, an additional filter has been added to the web.xml file of business-central.

The web-exec-server.xml file used when running in execution server mode does not contain this filter. Nevertheless, the REST api is exposed as web application, which could be included in a frame by a malicious attacker, and should therefore be secured in a similar way as the default web.xml

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Rename web.xml to web-full.xml and web-exec-server.xml to web.xml (Thus, activating correct web.xml)
2. Enable the RequestDumperValve
3. Start the server with the additional system property - -Dorg.kie.active.profile=exec-server
4. Access http://host:port/business-central

Actual results:
No 'X-FRAME-OPTIONS' header in response

Expected results:
'X-FRAME-OPTIONS' header in response

Additional info:
Comment 2 Alexandre Porcelli 2015-05-19 21:32:11 UTC 
PR submited

https://github.com/droolsjbpm/kie-wb-distributions/pull/50
Comment 3 Alexandre Porcelli 2015-05-20 14:44:00 UTC 
https://github.com/droolsjbpm/kie-wb-distributions/commit/03d45b1b8
Comment 4 Radovan Synek 2015-09-29 13:38:53 UTC 
Verified with BPMS-6.2.0.ER3