BusinessObjects Board

This content cannot be displayed in a frame (in SAP portal)

dataservices information steward
#1

Howdy folks, was hoping you could give me some guidance on the following issue:

Problem:
recently upgraded to Info Steward 4.2 SP5 Patch 1 (4.2.5.851) from 4.2.3. This version (4.2.5.851) will not display in the SAP Portal for IE11 on Win7(64). It appears that Info Steward 4.2.5.851 app is sending “X-Frame DENY” in the HTTP header. Screen print attached

Attempts to fix:
looked at the web.xml for Tomcat and checked the setting for “antiClickJackingEnabled”. I didn’t find it and the Apache docs say this is enabled by default. So may try setting this.

Steps for Reconstruction:
Install Info Steward 4.2.5.851 and include the web app as an iframe in
the SAP portal: on IE11 (Win7) you will receive:
"This content cannot be displayed in a frame

To help protect the security of information you enter into this
website, the publisher of this content does not allow it to be displayedin a frame.

Environment info:
Win2008R2, SQL Server, all BOBJ apps vertically stacked on one VM
Capture.JPG

wilsoja1 (BOB member since 2012-02-10)

#2

SAP got back with me and said they are stepping up security in their products.

They provided the following “fix” if you want to wrap Info Stew in some sort of portal/frame:

As long as nobody inside your company tries to intentionally use
clickjacking technique to attack IS application… you can use this
workaround:
This can be simply turned off if you follow the steps below.
In the file C:\Program Files (x86)\SAP
BusinessObjects\tomcat\work\Catalina\localhost\BOE\eclipse\plugins\webpath.ICCExplorer\web\MainUI.jsp, comment out the following lines,

//<%
// if (session.getAttribute(“DISABLE_XFRAME”) == null) {
// response.setHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);
//Prevent clickjacking
// session.removeAttribute(“DISABLE_XFRAME”);
// }
//%>
In the file C:\Program Files (x86)\SAP
BusinessObjects\tomcat\work\Catalina\localhost\BOE\eclipse\plugins\webpath.ICCExplorer\web\pages\secure\logon.jsp, comment out the following
line,
// response.setHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”); //Prevent
clickjacking
After these two files are updated, you need to restart Tomcat from BOE
Central Configuration Manager.

wilsoja1 (BOB member since 2012-02-10)