XML files are vulnerable to XML External Entity (XXE) attacks when they include a DTD (Document Type Definition) that has a DOCTYPE declaration. Because of this risk, JasperReports Server can check for DOCTYPE declarations. By default, this protection is disabled, since the setting causes errors if your XML files are vulnerable to the attack. Consider enabling this setting if XXE attacks are a concern. For more information on this security issue, see Wikipedia's article on XML External Entity Attack.
Before enabling the check, ensure that the XML files in your repository don't include DOCTYPE declarations.
To enable XXE protection:
| 1. | Identify and edit any XML files in your JasperReports Server repository that include a DOCTYPE declaration. Delete the declaration and update the JasperReport on the server. Since JasperReports Server doesn't support DTDs themselves, we recommend removing them entirely. |
| 2. | Using a text editor, open the .../WEB-INF/applicationContext.xml file. |
| 3. | Locate the skipXXECheck property and set it to false. |
| 4. | Restart JasperReports Server. |
Protecting Against Clickjacking Attacks
JasperReports Server implements a mechanism to protect against clickjacking attacks. To enable this mechanism, edit the following configuration file: applicationContext-security-web.xml.
| 1. | Using a text editor, open the applicationContext-security-web.xml file (found in <js-install>apache-tomcatwebappsjasperserver-proWEB-INF). |
| 2. | Locate the antiClickJackingEnabled property in the webAppSecurityFilter bean, and set it to true. Setting this property to true instructs JasperReports Server to include an X-Frame-Options header in every response. |
| 3. | You can also set the antiClickJackingOption property to control the header value. Valid values are: |
| • | DENY - JasperReports Server does not load into any iframe. |
| • | SAMEORIGIN - JasperReports Server only loads into an iframe on a page in the same domain as JasperReports Server. |
| • | ALLOW-FROM - JasperReports Server only loads in a frame on a page specified in antiClickJackingUri property. |
| 4. | If you set the antiClickJackingOption property to ALLOW-FROM, also set the antiClickJackingUri property to a valid URI. |
| 5. | Save the file and restart the server. |
| If you use iframes to embed JasperReports Server (including use of Visualize.js), set the antiClickJackingOption to either SAMEORIGIN (if the embedding host is on the same domain as JasperReports Server) or ALLOW-FROM (if the embedding host is on a different domain than JasperReports Server). If you use ALLOW-FROM, also set the antiClickJackingUri property. |
Clickjack protection does not support cases in which multiple domains embed JasperReports Server.
Recommended Comments
There are no comments to display.