How do I integrate Ivy Workflow Frontend in my Web App?

Peter Hochstrasser

I'd like to embedd some Axon.ivy workflow screens, such as a tasklist, in my existing WebApplication. My idea was to use an iframe. How can I do this in a secure way?

Peter Hochstrasser

Security Headers

By default an Axon Ivy Engine will block requests that come from an IFrame of another webserver. It uses the HttpSecurityHeaderFilter as configured in [designerOrEngine]/webapps/ivy/WEB-INF/web.xml (for Ivy 8), or [designerOrEngine]/configuration/web.xml (for Ivy 9+).

Where to configure security headers

Security headers are usually configured on a front-end web server (reverse proxy) such as Nginx or IIS. The policies are then enforced by the web browser of the client. We recommend setting headers such as the Content-Security-Policy or X-Frame-Options on a front-end web server - not on the Tomcat embedded in Ivy.

However, this tutorial tells you how to deal with these headers if you do not have a front-end webserver.

Allow just single domain access

To enable a specific domain to access Axon Ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows:

<init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
    <param-name>antiClickJackingUri</param-name>
    <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value>
</init-param>

This will set the HTTP response header
X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com.

Enable the content-security-policy

Unfortunately, the header parameter X-FRAME-OPTIONS is not interpreted by Chrome.
Therefore, access from any Domain is possible when the client uses Chrome.

Therefore, you have to set the HTTP response header Content-Security-Policy as well. You can achieve this with a ContentSecurityPolicyFilter. Copy the JAR with this filter into [designerOrEngine]/webapps/ivy/WEB-INF/lib. Then, you can add the filter and configure it in the web.xml.

<filter-mapping> 
    <filter-name>ContentSecurityPolicyFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
   <init-param>
       <param-name>report-only</param-name>
       <param-value>false</param-value>
    </init-param>
    <init-param>
       <param-name>default-src</param-name>
       <param-value>'self' 'unsafe-inline'</param-value>
    </init-param>
   <init-param>
       <param-name>frame-ancestors</param-name>
       <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value>
    </init-param>
</filter>

Verify the solution

If you try to embed Axon Ivy in an IFrame from a non-whitelisted domain, then you will get an apparent error in the browser console. No content will be visible in the frame. In any request fired against the Axon Ivy Engine, the response header
Content-Disposition-Policy: frame-ancestors https://myParentDomain.com
will be visible.

In Firefox:

In Chrome:

Here is the full web.xml:

<filter-mapping>
    <filter-name>httpSecurityHeaders</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
    <filter-name>httpSecurityHeaders</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>blockContentTypeSniffingEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>xssProtectionEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping> 
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
   <filter-name>ContentSecurityPolicyFilter</filter-name>
   <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
   <init-param>
       <param-name>report-only</param-name>
       <param-value>false</param-value>
    </init-param>
    <init-param>
       <param-name>default-src</param-name>
       <param-value>'self' 'unsafe-inline'</param-value>
    </init-param>
   <init-param>
       <param-name>frame-ancestors</param-name>
       <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value>
    </init-param>
</filter>

HoDacVu

Hi @Peter Hochstrasser
I followed your instructions, but it's still not working. And I faced 2 issues when testing the embedded ivy engine start.ivp into another server.

On my existing WebApplication, I try to call start.ivp in iframe:
<iframe src="http://<engine domain>:8180/Test_App/pro/example/1956448184915138/start.ivp"
Then got errors:
Failed to load resource: the server responded with a status of 500 ()
http://<engine domain>:8180/Test_App/faces/instances/example$1/19565A8B1DCCAB7C/example.iframeForm/iframeForm.xhtml

On the axonivy engine cockpit, when we try to deploy a new package we got an error

Could you please help me to resolve those problems. I using ivy 10
Thank you

Lukas Lieb

Hi HoDacVu

Did you maybe forgot to add the port to the web.xml?
Nevertheless, I would recommend using a reverse proxy in front of your engine. https://developer.axonivy.com/doc/10.0/engine-guide/integration/reverse-proxy/index.html
This is really easy nowadays e.g. by using docker compose: https://github.com/axonivy/docker-samples/tree/release/10.0/ivy-reverse-proxy-nginx