我需要拒绝来自我的应用程序的clickjacking威胁。它的java应用程序并部署在jboss 5.1服务器上。正如许多地方所建议的那样摆脱这种需求,以避免在iframe中加载应用程序。为此,我尝试将标头添加到http响应。我在web xml中添加了过滤器并将响应中的X-FRAME-OPTIONS标题设置为DENY。我将URLPATTERN添加为/ *。我用iframe创建了html并添加了src url来测试。应用程序加载为服务器的根目录,例如:http://localhost:8080。它没有应用此根网址的标头。但它适用于任何其他修改网址的基本网址。
例如:
是否有任何其他配置来获取jboss5.1中根URL的响应头?
这是变化
veb.hml
<filter>
<filter-name>ClickjackPreventionFilter</filter-name>
<filter-class>com.base.presentation.filters.ClickJackingPreventionFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
click jacking prevention filter.Java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class ClickJackingPreventionFilter implements Filter{
private String mode = "DENY";
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
res.addHeader("X-FRAME-OPTIONS", mode );
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
我能够解决这个问题。我加了jboss阀门。 jboss阀门比过滤器更抽象。通过扩展valvebase类来创建类,并在“jboss-5.1 \ server \\ deploy \ jbossweb.sar”位置的server.xml文件中添加valve条目。这是类和阀门入口。阀门入口应包含在Engine >> Host标签中。
server.xml条目
<Valve className="com.yourxcompany.jboss.valve.ClickJackingPreventionValve"/>
click jacking prevention valve.Java
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;
public class ClickJackingPreventionValve extends ValveBase{
private static Logger LOG = Logger.getLogger(ClickJackingPreventionValve.class);
private final String PROP_KEY_X_FRAME_OPTION =
"jboss.util.click.jacking.prevent.x.frame.option";
private final String DEFAULT_X_FRAME_OPTION = "SAMEORIGIN";
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
String xFrameOption = System.getProperty(PROP_KEY_X_FRAME_OPTION);
if(xFrameOption == null ) {
xFrameOption = DEFAULT_X_FRAME_OPTION;
}
response.addHeader("X-FRAME-OPTIONS", xFrameOption);
LOG.debug(" ######## SET X-FRAME-OPTIONS to "+ xFrameOption +" ############ ");
this.getNext().invoke(request, response);
}
}
这是另一种为响应添加过滤器的方法。 “jboss-5.1 \ server \\ deployers \ jbossweb.deployer”位置中有web.xml文件。此文件中有一个名为“CommonHeadersFilter”的过滤器。您可以在此处添加“x-frame-options”标题。我添加这个作为我试图解决这个问题的另一种方式。但这对根网址不起作用。这可能是另一种情况的帮助。
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>
org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>
</init-param>
<init-param>
<param-name>X-FRAME-OPTIONS</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CommonHeadersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>