Configure MashZone NextGen server to work with iFrame
By default, MashZone NextGen can be embedded using HTML inline frames (iFrame) if the MashZone NextGen server and the server of the embedding system use the same protocol, same host and same port.
To embed MashZone NextGen within another HTML document the iFrame source points to the MashZone NextGen dashboard as shown in the following example.
<iframe id="embedded-mzng-dashboard"
width="600px" height="600px"
src="http://mzngServerHost:mzngServerPort/mashzone/hub/
dashboard/dashboard.jsp?mzngDashboardGUID">
<p>Your browser does not support iframes.</p>
</iframe>
If the embedding system is running on a different host or uses a different protocol or port, the MashZone NextGen server must be configured as follows. The MashZone NextGen server configuration file applicationContext-security-filters.xml needs to be configured by adding filters for X-Frame-Options and content security policies.
The applicationContext-security-filters.xml server configuration file is located in following directory. <MashZone NextGen-install>/apache-tomcat/webapps/mashzone/WEB-INF/classes.
Procedure
1. Open the applicationContext-security-filters.xml configuration file in a text editor of your choice.
2. Adapt the security settings as follows and exchange the string "http://otherServerHost:otherServerPort" with the system origin MashZone NextGen is to be embedded in.
<beans:beans
xmlns="http://www.springframework.org/schema/security"...>
...
<http pattern="/hub/(login|reset_password)\.html.*" security="none"
request-matcher="regex"/>
<http pattern="/help/.*" security="none" request-matcher="regex"/>
<http pattern="/**/*.jsp" use-expressions="false"
authentication-manager-ref="authenticationManager"
entry-point-ref="mzngAuthenticationEntryPoint">
<anonymous enabled="false"/>
<headers>
<!--frame-options policy="SAMEORIGIN"/-->
<frame-options policy="ALLOW-FROM" strategy="static"
value="http://otherServerHost:otherServerPort" />
<!--content-security-policy policy-directives="frame-ancestors
'self'"/-->
<content-security-policy policy-directives="frame-ancestors 'self'
http://otherServerHost:otherServerPort"/>
</headers>
<csrf token-repository-ref="csrfTokenRepository"
request-matcher-ref="skipHttpAuthCsrfMatcher"/>
<custom-filter ref="samlTokenProcessingFilter"
after="PRE_AUTH_FILTER"/>
<custom-filter ref="jwTokenProcessingFilter"
before="CAS_FILTER"/>
<custom-filter ref="credentialContainerFilter"
before="EXCEPTION_TRANSLATION_FILTER"/>
</http>
<http pattern="/**/*.html" use-expressions="false"
authentication-manager-ref="authenticationManager"
entry-point-ref="mzngAuthenticationEntryPoint">
<intercept-url pattern="/**/*.html"
access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<anonymous enabled="false"/>
<headers>
<!--frame-options policy="SAMEORIGIN"/-->
<frame-options policy="ALLOW-FROM" strategy="static"
value="http://otherServerHost:otherServerPort" />
<!--content-security-policy policy-directives="frame-ancestors
'self'"/-->
<content-security-policy policy-directives="frame-ancestors 'self'
http://otherServerHost:otherServerPort"/>
</headers>
</http>
...
</beans:beans>
3. Save changes.
Your changes will be applied with the next MashZone NextGen server start.
Further details on the topic Using iFrame can be found in the spring security documentation: https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-frame-options.