enhanced filter, renamed to due enhanced features

2013-02-06 23:29:50 +00:00
parent bf34546e93
commit f8885f6077
2 changed files with 65 additions and 1 deletions
--- a/jeeutil/pom.xml
+++ b/jeeutil/pom.xml
@ -10,7 +10,7 @@
    <groupId>de.muehlencord.app</groupId>
    <artifactId>shared-jeeutil</artifactId>
    <version>1.0-SNAPSHOT</version>
-    <packaging>ejb</packaging>
+    <packaging>jar</packaging>

    <name>shared-jeeutil</name>

--- a/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
+++ b/jeeutil/src/main/java/de/muehlencord/shared/jeeutil/OwaspStandardFilter.java
@ -0,0 +1,64 @@
+package de.muehlencord.shared.jeeutil;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Filter to suppress ClickJacking and Mime Sniffing by adding header fields
+ *
+ * @author joern@muehlencord.de
+ */
+public class OwaspStandardFilter implements Filter {
+
+    /** mode to use */
+    private String mode = "DENY";
+
+    /**
+     * inits the filter. Checks if a parameter "mode" is available in parameter map tp use instead default "DENY"
+     *
+     * @param filterConfig
+     * @throws ServletException
+     */
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        String configMode = filterConfig.getInitParameter("mode");
+        if (configMode != null) {
+            mode = configMode;
+        }
+    }
+
+    /**
+     *
+     * @param request
+     * @param response
+     * @param chain
+     * @throws IOException
+     * @throws ServletException
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse res = (HttpServletResponse) response;
+        // X-FRAME-OPTIONS: Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
+        res.addHeader("X-FRAME-OPTIONS", mode);
+
+        // X-Content-Type-Options the only defined value, "nosniff", 
+        // The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. 
+        // This also applies to Google Chrome, when downloading extensions.
+        res.addHeader("X-Content-Type-Options", "nosniff");
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * destroys the filter
+     */
+    @Override
+    public void destroy() {
+        // nothing todo here
+    }
+}