Xframe option in tomcat 7

Question

I have added the below code snippet in my tomcat web.xml to prevent clickjacking.

In the section to add built-in filter, I have added

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>

For filter-mapping part I have added.

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

After editing and making these two changes,test page (html page where I am trying to open the target page in <frame>) passes (not able to open the target page inside frames).
But the apache welcome page gives 404 with the new changes.

Please let me know if I am missing anything.

Answer 1

I also had this issue with tomcat7 and the exact same filter.

The first thing you should do is check the tomcat logs under CATALINA_BASE/logs/. Locate and open localhost.YYYY-MM-DD.log; there you should find the cause for the error.

In my log file I had this error:

SEVERE: Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter

I then found out that the HttpHeaderSecurityFilter was newly added in Tomcat Version 7.0.63 (see here) but I was running version 7.0.52 (the one that comes with Ubuntu 14.04 LTS).

I resolved the issue by installing the newest Tomcat version and now the filter works as expected.