Using OpenNMS in an iframe

how-to
web-ui

#1

In Horizon 23.0.3+ and Meridian 2018.1.5+ we now set the X-Frame-Options: sameorigin header by default in order to help avoid clickjacking attacks.

If your use case requires running OpenNMS in an iframe, or similar, you can modify or remove the header as follows:

  1. From $OPENNMS_HOME, copy jetty.xml from the examples directory:
cd $OPENNMS_HOME
cp etc/examples/jetty.xml etc/jetty.xml

2.a) If you know the origin from which the iframe is referenced, change SAMEORIGIN to allow-from https://example.com/ in the following block. See X-Frame-Options for details.

<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
  <Set name="pattern">*</Set>
  <Set name="name">X-Frame-Options</Set>
  <Set name="value">SAMEORIGIN</Set>
</New>

2.b) If you don’t know the origin, remove or comment the following lines from the configuration file:

<Item>
   <Ref id="RewriteHandler"/>
</Item>
  1. Restart OpenNMS

Now that your install uses a custom jetty.xml file, make sure to compare the contents to the default file provided in etc/examples/jetty.xml when you upgrade the system and make changes accordingly.