0

I want to set the http headers for x-frame options and Strict-Transport-Security in jboss 6.1.0.

I have been searching for the proper configuration file to add these headers, am able to see some procedures for jboss 6.4, jboss 7 but I didn't get anything for jboss 6.1

Configure Http Headers in JBoss EAP 7

This is in jboss 7, I need to do the same for jboss 6.1

I have tried a lot in identifyiing the proper confiurtion changes needed for this in jboss 6.1, but am helpless.

please let me knoe if someone is aware of doing this in jboss 6.1

Thanks in advance.

Suman
  • 21
  • 6
  • I was able to do this by adding a filter and set the response but only for valid context-root.I have the context root for jboass as '/jbossadmin'. Now I want to add these headers for the other URLs(invalid context roots) too. For example, if I do a curl -i http://ip:port with out /jboassadmin/, I will get a 404 Not found, here also I need to add the headers. HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 X-Powered-By: Servlet/3.0; JBossAS-6 Content-Length: 0 Date: Wed, 31 Jul 2019 06:49:06 GMT Is there any option to configure these headers to add them in an invalid context. Thanks. – Suman Jul 31 '19 at 08:58

2 Answers2

1

If you are using Apache HTTPD as a proxy to JBoss, it is very easy to add all these headers using the Header directive. Otherwise you can set all these headers in a custom filter and place in the corresponding web application’s lib folder.

Panagiotis Chavariotis
  • 757
  • 5
  • 9
  • I have tried adding these headers in a custom filter, placed it in lib and map it in XML but still couldn't see any headers added. Am getting only a response like this: HTTP/1.1 404 Not Found – Suman Jul 27 '19 at 12:23
  • The headers are being added for the valid context root only, I have the context root for jboass as '/jbossadmin'. Now I want to add these headers for the other URLs also – Suman Jul 31 '19 at 07:03
  • The headers are being added for the valid context root only, I have the context root for jboass as '/jbossadmin'. Now I want to add these headers for the other URLs also. For example if i do a curl -i http://ip:port with out /jboassadmin/ i will get a 404 Not found , here I need to add the headers. HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 X-Powered-By: Servlet/3.0; JBossAS-6 Content-Length: 0 Date: Wed, 31 Jul 2019 06:49:06 GMT Is there anyway to add the headers for these other URLs ? – Suman Jul 31 '19 at 07:16
1

This answer is present in RedHat Knowledgebase. As it requires RedHat credentials, I'm posting the same answer here.

Solution:

A servlet filter can be used to add the additional HTTP header to the response. Below is an example filter which uses Servlet 3.0 @WebFilter. Using annotation does not require to configure web.xml to enable the filter.

/*
 *  This is a sample servlet filter to set "X-Frame-Options" http header to 
 *  http response. 
 */

package com.redhat.jboss.support;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.annotation.WebFilter;

@WebFilter("/*")
public class AddCustomHeaderFilter implements Filter {

    /**
     * Take this filter out of service.
     */
    public void destroy() {
    }

    /**
     * @param request The servlet request we are processing
     * @param result The servlet response we are creating
     * @param chain The filter chain we are processing
     *
     * @exception IOException if an input/output error occurs
     * @exception ServletException if a servlet error occurs
     */
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {

      ((HttpServletResponse)response).setHeader("X-Frame-Options", "SAMEORIGIN"); 
      chain.doFilter(request, response);

    }


    /**
     * Place this filter into service.
     *
     * @param filterConfig The filter configuration object
     */
    public void init(FilterConfig filterConfig) throws ServletException {
    }

}
  • After compiling the AddCustomHeaderFilter.java, one package will be creating named com.redhat.jboss.support with AddCustomHeaderFilter.class.

  • Create a jar for the AddCustomHeaderFilter.class using following command. It will generate a jar AddCustomHeaderFilter.jar :

    jar -cvf AddCustomHeaderFilter.jar com

  • Put this jar in your Web application's WEB-INF/lib folder. It will enable the Servlet filter in the web application.

NOTE: The example given in AddCustomHeaderFilter.java class is for "SAMEORIGIN". There are below possible values for X-Frame-Options:

  1. DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.
  2. SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.
Abhijeet
  • 3,163
  • 1
  • 17
  • 32
  • Thanks @Abhijeet, I was trying the same. The headers are being added for the valid context root only, I have the context root for jboass as '/jbossadmin'. Now I want to add these headers for the other URLs also. For example if i do a curl -i http://ip:port with out /jboassadmin/ i will get a 404 Not found , here I need to add the headers. HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 X-Powered-By: Servlet/3.0; JBossAS-6 Content-Length: 0 Date: Wed, 31 Jul 2019 06:49:06 GMT Is there anyway to add the headers for these other URLs ? – Suman Jul 31 '19 at 07:20
  • @Suman above solution is for JBoss EAP 6. Which JBoss are you using EAP or AS? And can you please elaborate on your new question, You can add update to your existing question – Abhijeet Jul 31 '19 at 07:24
  • @Suman If I'm understanding your question correctly. My answer will give you updated headers only for valid context root. But you want to update headers for invalid context root as well. Am I right? – Abhijeet Jul 31 '19 at 07:32
  • yes Abhijeet, you were correct. I want to see the updated headers for invalid context as well. – Suman Jul 31 '19 at 08:41
  • we tried this solution and ended up in some deployment exceptions. But according to this post https://stackoverflow.com/questions/26975994/why-is-my-tomcat-valve-not-being-invoked the valve will be called only if the context root is correct, I think it will be the same problem again. – Suman Jul 31 '19 at 11:32