Configuration
To enable access to MashZone NextGen you need to list the URL(s) of the webMethods Business Console server(s) in the Content Security Policy of MashZone NextGen.
The content security settings are done in the server configuration file applicationContext-security-filters.xml by adding filters for X-Frame-Options and Content Security Policies. The file is located in <MashZone NextGen installation>\apache-tomcat\webapps\mashzone\WEB-INF\classes.
applicationContext-security-filters.xml (abstract)
<beans:beans
xmlns="http://www.springframework.org/schema/security"...>
...
<http pattern="/hub/login.html" security="none"/>
<http pattern="/**/*.jsp" use-expressions="false"
authentication-manager-ref="authenticationManager"
entry-point-ref="mzngAuthenticationEntryPoint">
<anonymous enabled="false"/>
<headers>
<!--frame-options policy="SAMEORIGIN"/-->
<frame-options policy="ALLOW-FROM" strategy="whitelist"
value="http://BCServerHostA:BCServerPortA,
http://BCServerHostB:BCServerPortB,..."/>
<!--content-security-policy policy-directives="frame-ancestors 'self'"/-->
<content-security-policy policy-directives="frame-ancestors 'self'
http://BCServerHostA:BCServerPortA, http://BCServerHostB:BCServerPortB,.../>
</headers>
<csrf token-repository-ref="csrfTokenRepository"
request-matcher-ref="skipHttpAuthCsrfMatcher"/>
</http>
<http pattern="/**/*.html" use-expressions="false"
authentication-manager-ref="authenticationManager"
entry-point-ref="mzngAuthenticationEntryPoint">
<intercept-url pattern="/**/*.html"
access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<anonymous enabled="false"/>
<headers>
<!--frame-options policy="SAMEORIGIN"/-->
<frame-options policy="ALLOW-FROM" strategy="whitelist"
value="http://BCServerHostA:BCServerPortA,
http://BCServerHostB:BCServerPortB,..."/>
<!--content-security-policy policy-directives="frame-ancestors 'self'"/-->
<content-security-policy policy-directives="frame-ancestors 'self'
http://BCServerHostA:BCServerPortA, http://BCServerHostB:BCServerPortB,..."/>
</headers>
</http>
...
</beans:beans>