I have my tomcat (v8) configured to globally use strict transport security (HSTS) and prevent clickjacking (in /opt/tomcat/conf/web.xml):
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
I also can see, that it is working. If I look at the headers of one of my webapps, they contain:
Strict-Transport-Security: max-age=0
X-Frame-Options: DENY
But: When analyzing the headers of my Apache Isis project, I found out, the the X-Frame-Options and Strict-Transport-Security are missing. My guess is, that there is a problem with one of the filters in the web.xml of the Isis-project that is overwriting the global settings. I tried to comment out some of them but either the app was not working correctly then, or the app was working, but the headers still were not there...
My projects web.xml is
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>...</display-name>
<welcome-file-list>
<welcome-file>about/index.html</welcome-file>
</welcome-file-list>
<!-- shiro security configuration -->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
determines which additional configuration files to search for
-->
<context-param>
<param-name>isis.viewers</param-name>
<param-value>wicket,restfulobjects</param-value>
</context-param>
<!--
-
- config specific to the wicket-viewer
-
-->
<filter>
<filter-name>WicketFilter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>domainapp.webapp.MyApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>WicketFilter</filter-name>
<url-pattern>/wicket/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>configuration</param-name>
<param-value>deployment</param-value>
</context-param>
</web-app>
Which part of my projects web.xml could possibly cause tomcat to not use the default enabled HSTS and the clickjacking prevention for my ISIS project?
Thanks to a hint of Andy Huber on the ASF-ISIS-Slack-Channel, I was able to solve my problems.
Andys hint was that filter priority is defined by the order of appearance in the web.xml file. So I added the security-related filters at the beginning of the projects web.xml.
Sadly I still do not know exactly which part of the ISIS-related filters caused the initial problem. But as long as my tomcat-security has improved, I can live with that ;-)