From f8885f607798658e4af285f8e88b9ddfb110747e Mon Sep 17 00:00:00 2001
From: jomu <jomu@711a9084-f618-47a6-a783-754c49204487>
Date: Wed, 6 Feb 2013 23:29:50 +0000
Subject: [PATCH] enhanced filter, renamed to due enhanced features

---
 jeeutil/pom.xml                               |  2 +-
 .../shared/jeeutil/OwaspStandardFilter.java   | 64 +++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java

diff --git a/jeeutil/pom.xml b/jeeutil/pom.xml
index a229e03..43dbec1 100644
--- a/jeeutil/pom.xml
+++ b/jeeutil/pom.xml
@@ -10,7 +10,7 @@
     <groupId>de.muehlencord.app</groupId>
     <artifactId>shared-jeeutil</artifactId>
     <version>1.0-SNAPSHOT</version>
-    <packaging>ejb</packaging>
+    <packaging>jar</packaging>
 
     <name>shared-jeeutil</name>
 
diff --git a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
new file mode 100644
index 0000000..ff3d46b
--- /dev/null
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
@@ -0,0 +1,64 @@
+package de.muehlencord.shared.jeeutil;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Filter to suppress ClickJacking and Mime Sniffing by adding header fields
+ *
+ * @author joern@muehlencord.de
+ */
+public class OwaspStandardFilter implements Filter {
+
+    /** mode to use */
+    private String mode = "DENY";
+
+    /**
+     * inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY"
+     *
+     * @param filterConfig
+     * @throws ServletException
+     */
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        String configMode = filterConfig.getInitParameter("mode");
+        if (configMode != null) {
+            mode = configMode;
+        }
+    }
+
+    /**
+     *
+     * @param request
+     * @param response
+     * @param chain
+     * @throws IOException
+     * @throws ServletException
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse res = (HttpServletResponse) response;
+        // X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
+        res.addHeader("X-FRAME-OPTIONS", mode);
+
+        // X-Content-Type-Options the only defined value, "nosniff", 
+        // The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. 
+        // This also applies to Google Chrome, when downloading extensions.
+        res.addHeader("X-Content-Type-Options", "nosniff");
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * destroys the filter
+     */
+    @Override
+    public void destroy() {
+        // nothing todo here
+    }
+}