jomu/shared
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases 7 Activity

enhanced filter, renamed to due enhanced features

Browse Source
This commit is contained in:
jomu
2013-02-06 23:29:50 +00:00
parent bf34546e93
commit f8885f6077
2 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jeeutil/pom.xml
View File

@ -10,7 +10,7 @@
<groupId>de.muehlencord.app</groupId> <groupId>de.muehlencord.app</groupId>
<artifactId>shared-jeeutil</artifactId> <artifactId>shared-jeeutil</artifactId>
<version>1.0-SNAPSHOT</version> <version>1.0-SNAPSHOT</version>
<packaging>ejb</packaging> <packaging>jar</packaging>
<name>shared-jeeutil</name> <name>shared-jeeutil</name>

64
jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java Normal file
View File

@ -0,0 +1,64 @@
package de.muehlencord.shared.jeeutil;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
/**
* Filter to suppress ClickJacking and Mime Sniffing by adding header fields
*
* @author joern@muehlencord.de
*/
public class OwaspStandardFilter implements Filter {
/** mode to use */
private String mode = "DENY";
/**
* inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY"
*
* @param filterConfig
* @throws ServletException
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String configMode = filterConfig.getInitParameter("mode");
if (configMode != null) {
mode = configMode;
}
}
/**
*
* @param request
* @param response
* @param chain
* @throws IOException
* @throws ServletException
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response;
// X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
res.addHeader("X-FRAME-OPTIONS", mode);
// X-Content-Type-Options the only defined value, "nosniff",
// The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
// This also applies to Google Chrome, when downloading extensions.
res.addHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(request, response);
}
/**
* destroys the filter
*/
@Override
public void destroy() {
// nothing todo here
}
}