I'm using a Filter to insert anti-clickjacking headers in all my pages - this works correctly, except on the JBoss EAP 6.3 container managed login page, which is one of the more important pages to have it.

The filter is not called at all with the login page, which is served off of http://localhost/Application/. Filter mappings I've tried include

<filter>
    <filter-name>InsertXFrameOptions</filter-name>
    <filter-class>com.filter.InsertXFrameOptionsFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>    
<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>/</url-pattern>
</filter-mapping>

No luck at all though - how do you map a filter so it applies to the container managed login page?

Filters don't kick in on j_security_check requests. They are handled internally by the container before the web application's filters are hit. So you need to head to a container-specific solution to hook on the request/response.

JBoss 6.x/7.x (and all other Tomcat based containers) offer Valves for this. Basically, replace your Filter by a Valve which looks like below:

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;

public class InsertXFrameOptionsValve extends ValveBase {

    @Override
    public void invoke(Request request, Response response) throws IOException, ServletException {
        response.addHeader("X-Frame-Options", "SAMEORIGIN");
        getNext().invoke(request, response);
    }

}

In order to get it to run, register it in jboss-web.xml like below:

<valve>
    <class-name>com.example.InsertXFrameOptionsValve</class-name>
</valve>