Xframe option in tomcat 7
I have added the below code snippet in my tomcat web.xml to prevent clickjacking.
In the section to add built-in filter, I have added
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
For filter-mapping part I have added.
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
After editing and making these two changes,test page (html page where I am trying to open the target page in <frame>) passes (not able to open the target page inside frames).
But the apache welcome page gives 404 with the new changes.
Please let me know if I am missing anything.
Answer
I also had this issue with tomcat7 and the exact same filter.
The first thing you should do is check the tomcat logs under CATALINA_BASE/logs/. Locate and open localhost.YYYY-MM-DD.log; there you should find the cause for the error.
In my log file I had this error:
SEVERE: Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter
I then found out that the HttpHeaderSecurityFilter was newly added in Tomcat Version 7.0.63 (see here) but I was running version 7.0.52 (the one that comes with Ubuntu 14.04 LTS).
I resolved the issue by installing the newest Tomcat version and now the filter works as expected.