I need reject clickjacking threats from my application. Its java application & deployed in jboss 5.1 server. As advised in many places to get rid of this needs to avoid load the application in iframes. for that I tried to add headers to http response. I added filter in web xml & set X-FRAME-OPTIONS header in response as DENY. I added URLPATTERN as /*. I created html with iframe & add src url to test. Application loads as the root of the server eg:http://localhost:8080. It is not applying the headers for this root url. but it applies for base url with any other amend url.
ex:
Is there any additional configurations to get response header for root url in jboss5.1 ?
here are the changes
web.xml
<filter>
<filter-name>ClickjackPreventionFilter</filter-name>
<filter-class>com.base.presentation.filters.ClickJackingPreventionFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
ClickJackingPreventionFilter.java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class ClickJackingPreventionFilter implements Filter{
private String mode = "DENY";
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
res.addHeader("X-FRAME-OPTIONS", mode );
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
I was able to resolve this. I added jboss valve. jboss valves are more abstract level than filters. create class by extending valvebase class & add valve entry in server.xml file in "jboss-5.1\server\\deploy\jbossweb.sar" location. here is the class & valve entry. valve entry should include with in Engine >> Host tags.
server.xml entry
<Valve className="com.yourxcompany.jboss.valve.ClickJackingPreventionValve"/>
ClickJackingPreventionValve.java
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;
public class ClickJackingPreventionValve extends ValveBase{
private static Logger LOG = Logger.getLogger(ClickJackingPreventionValve.class);
private final String PROP_KEY_X_FRAME_OPTION =
"jboss.util.click.jacking.prevent.x.frame.option";
private final String DEFAULT_X_FRAME_OPTION = "SAMEORIGIN";
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
String xFrameOption = System.getProperty(PROP_KEY_X_FRAME_OPTION);
if(xFrameOption == null ) {
xFrameOption = DEFAULT_X_FRAME_OPTION;
}
response.addHeader("X-FRAME-OPTIONS", xFrameOption);
LOG.debug(" ######## SET X-FRAME-OPTIONS to "+ xFrameOption +" ############ ");
this.getNext().invoke(request, response);
}
}
Here another way to add filters to response. There is web.xml file in "jboss-5.1\server\\deployers\jbossweb.deployer" location. There is a filter in this file named as "CommonHeadersFilter". You can add your "x-frame-options" header here. i added this as another way i have tried to solve this. but this is not work for the root url. this may be help full another scenario.
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>
org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>
</init-param>
<init-param>
<param-name>X-FRAME-OPTIONS</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CommonHeadersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>