Using OpenNMS in an iframe



In Horizon 23.0.3+ and Meridian 2018.1.5+ we now set the X-Frame-Options: sameorigin header by default in order to help avoid clickjacking attacks.

If your use case requires running OpenNMS in an iframe, or similar, you can modify or remove the header as follows:

  1. From $OPENNMS_HOME, copy jetty.xml from the examples directory:
cp etc/examples/jetty.xml etc/jetty.xml

2.a) If you know the origin from which the iframe is referenced, change SAMEORIGIN to allow-from in the following block. See X-Frame-Options for details.

<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
  <Set name="pattern">*</Set>
  <Set name="name">X-Frame-Options</Set>
  <Set name="value">SAMEORIGIN</Set>

2.b) If you don’t know the origin, remove or comment the following lines from the configuration file:

   <Ref id="RewriteHandler"/>
  1. Restart OpenNMS

Now that your install uses a custom jetty.xml file, make sure to compare the contents to the default file provided in etc/examples/jetty.xml when you upgrade the system and make changes accordingly.