CAS denied as iFrame

Sebastien BEAUDLOT

unread,

Dec 12, 2017, 2:33:12 AM12/12/17

to cas-user

Hello,

Since i upgraded my CAS backend and frontend, some of our websites, embbeding CAS protected services as iframes, are now throwing an error message :

"Load denied by X-Frame options"

CAS is 5.1.5

Frontend is Apache 2.4.10

I tried :

Header set X-Frame-Options "ALLOW-FROM=https://websitewithiframe.tld"

In the Apache configuration

cas.httpWebRequest.header.xframe=true

In CAS configuration

But none of these get rid of the error.

Did someone already encountered this problem ?

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

Pascal Rigaux

unread,

Dec 12, 2017, 3:31:41 AM12/12/17

to cas-...@apereo.org

On 12/12/2017 08:33, Sebastien BEAUDLOT wrote:

> Header set X-Frame-Options "ALLOW-FROM=https://websitewithiframe.tld"

Hi,

Bad syntax, replace "=" with " ".

cu

Sebastien BEAUDLOT

unread,

Dec 12, 2017, 3:43:54 AM12/12/17

to cas-user

Hello,

Thanks, but no change. Iframe is still denied.

Regards.

--
Sébastien BEAUDLOT

Administrateur réseaux, téléphonie et flotte mobile

Direction Opérationnelle des Systèmes d'Information ( DOSI )
Pôle Infrastructures
Université d'Avignon et des Pays de Vaucluse

Tèl : 04.90.16.26.04
--

----- Mail original -----
De: "Pascal Rigaux" <pascal...@univ-paris1.fr>
À: "cas-user" <cas-...@apereo.org>
Envoyé: Mardi 12 Décembre 2017 09:31:34
Objet: Re: [cas-user] CAS denied as iFrame

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a349b297-29fd-7b09-41b9-63f4dfe8375c%40univ-paris1.fr.

Fiz

unread,

Dec 19, 2017, 11:29:52 AM12/19/17

to CAS Community

Bonjour,

Avez vous réussi à résoudre ce problème?

Je suis également intéressé.

Cordialement,

Philippe

Ourada, John

unread,

Dec 19, 2017, 12:10:51 PM12/19/17

to cas-...@apereo.org

Look at your tomcat or apache config…

Our security folks had us turn on header security in tomcat.

--- Web.xml---

<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

<async-supported>true</async-supported>

</filter>

<filter-mapping>

<filter-name>httpHeaderSecurity</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

-John Ourada

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5dd98655-3e41-4dc0-b8ff-3c6bbc9ac818%40apereo.org.

S

unread,

Jul 3, 2018, 7:57:57 AM7/3/18

to CAS Community

I am also facing similar issue. Any solution for resolving this?

ste...@scarletmail.rutgers.edu

unread,

Jul 24, 2018, 6:12:06 PM7/24/18

to CAS Community

I'm seeing the same issue. I have both CAS 3.6 and CAS 5.2.5 running in the same Tomcat and 3.6 doesn't include this header but 5.2.5 includes

'X-Frame-Options: DENY'

I believe it's cas-server-security-filter that's adding this even though it's docs say that everything is turned off by default. Not sure how to explicitly set the option to false.

BTW, we're seeing this issue in iframes in our uPortal. Whether we actually want to turn this off is a different question.

-ds

Travis Schmidt

unread,

Jul 25, 2018, 10:08:18 AM7/25/18

to cas-...@apereo.org

This can be done changed through properties: https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#http-web-requests

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54ffc5a5-dfb1-4b89-98a0-e1874b9d3bb9%40apereo.org.

Sonal

unread,

Jul 25, 2018, 1:22:09 PM7/25/18

to cas-...@apereo.org

Set value false for cas.httpWebRequest.header.xss

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54ffc5a5-dfb1-4b89-98a0-e1874b9d3bb9%40apereo.org.

Sonal

unread,

Jul 26, 2018, 6:43:36 AM7/26/18

to cas-...@apereo.org

sorry, following entry needs to be put-up in application.properties in order to make CAS work in iframe.

cas.httpWebRequest.header.xframe=false

On Wed, Jul 25, 2018 at 10:51 PM, Sonal <sonalag...@gmail.com> wrote:

Set value false for cas.httpWebRequest.header.xss

On Wed, 25 Jul 2018, 03:42 , <ste...@scarletmail.rutgers.edu> wrote:

I'm seeing the same issue. I have both CAS 3.6 and CAS 5.2.5 running in the same Tomcat and 3.6 doesn't include this header but 5.2.5 includes

'X-Frame-Options: DENY'

I believe it's cas-server-security-filter that's adding this even though it's docs say that everything is turned off by default. Not sure how to explicitly set the option to false.

BTW, we're seeing this issue in iframes in our uPortal. Whether we actually want to turn this off is a different question.

-ds

On Tuesday, July 3, 2018 at 7:57:57 AM UTC-4, S wrote:
I am also facing similar issue. Any solution for resolving this?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54ffc5a5-dfb1-4b89-98a0-e1874b9d3bb9%40apereo.org.

--

Thanks and Regards,

Sonal Aggarwal

john spence

unread,

Jul 26, 2018, 8:19:47 AM7/26/18

to cas-...@apereo.org

We had the same trouble, In cas.properties we added

#Allow CAS protected URLs to be loaded into an iFrame

cas.httpWebRequest.header.xframe=false

On 26 July 2018 at 11:43, Sonal <sonalag...@gmail.com> wrote:

sorry, following entry needs to be put-up in application.properties in order to make CAS work in iframe.

cas.httpWebRequest.header.xframe=false

On Wed, Jul 25, 2018 at 10:51 PM, Sonal <sonalag...@gmail.com> wrote:

Set value false for cas.httpWebRequest.header.xss

On Wed, 25 Jul 2018, 03:42 , <ste...@scarletmail.rutgers.edu> wrote:

I'm seeing the same issue. I have both CAS 3.6 and CAS 5.2.5 running in the same Tomcat and 3.6 doesn't include this header but 5.2.5 includes

'X-Frame-Options: DENY'

I believe it's cas-server-security-filter that's adding this even though it's docs say that everything is turned off by default. Not sure how to explicitly set the option to false.

BTW, we're seeing this issue in iframes in our uPortal. Whether we actually want to turn this off is a different question.

-ds

On Tuesday, July 3, 2018 at 7:57:57 AM UTC-4, S wrote:
I am also facing similar issue. Any solution for resolving this?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54ffc5a5-dfb1-4b89-98a0-e1874b9d3bb9%40apereo.org.

--

Thanks and Regards,
Sonal Aggarwal

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACRYQfFHXj4ccVBk3%3D-yJeO97JXYJFq_9e539z21poy-asmA7Q%40mail.gmail.com.