Description of problem: To prevent Cross Frame Scripting (XFS) attacks, an additional filter has been added to the web.xml file of business-central. The web-exec-server.xml file used when running in execution server mode does not contain this filter. Nevertheless, the REST api is exposed as web application, which could be included in a frame by a malicious attacker, and should therefore be secured in a similar way as the default web.xml Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Rename web.xml to web-full.xml and web-exec-server.xml to web.xml (Thus, activating correct web.xml) 2. Enable the RequestDumperValve 3. Start the server with the additional system property - -Dorg.kie.active.profile=exec-server 4. Access http://host:port/business-central Actual results: No 'X-FRAME-OPTIONS' header in response Expected results: 'X-FRAME-OPTIONS' header in response Additional info:
PR submited https://github.com/droolsjbpm/kie-wb-distributions/pull/50
https://github.com/droolsjbpm/kie-wb-distributions/commit/03d45b1b8
Verified with BPMS-6.2.0.ER3