我需要拒绝我的应用程序中的点击劫持威胁。它的Java应用程序&部署在jboss 5.1服务器中。正如许多地方所建议的,摆脱这种需求是为了避免将应用程序加载到iframe中。为此,我尝试将标头添加到http响应。我在web xml中添加了过滤器,并将X-FRAME-OPTIONS标头设置为DENY作为响应。我将URLPATTERN添加为/ *。我使用iframe创建了html并添加了src url进行测试。应用程序加载为服务器的根目录,例如:http://localhost:8080。它没有应用此根URL的标题。但这适用于基本网址以及其他任何修改网址。
例如:
在jboss5.1中是否还有其他配置来获取根URL的响应标头?
这是更改
web.xml
<filter>
<filter-name>ClickjackPreventionFilter</filter-name>
<filter-class>com.base.presentation.filters.ClickJackingPreventionFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
ClickJackingPreventionFilter.java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class ClickJackingPreventionFilter implements Filter{
private String mode = "DENY";
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
res.addHeader("X-FRAME-OPTIONS", mode );
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
}
答案 0 :(得分:1)
我能够解决这个问题。我添加了jboss阀门。 jboss阀门比过滤器更抽象。通过扩展Valvebase类创建类,并在“ jboss-5.1 \ server \\ deploy \ jbossweb.sar”位置的server.xml文件中添加Valve条目。这是课程和阀门条目。气门条目应包含在Engine >> Host标签中。
server.xml条目
<Valve className="com.yourxcompany.jboss.valve.ClickJackingPreventionValve"/>
ClickJackingPreventionValve.java
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;
public class ClickJackingPreventionValve extends ValveBase{
private static Logger LOG = Logger.getLogger(ClickJackingPreventionValve.class);
private final String PROP_KEY_X_FRAME_OPTION =
"jboss.util.click.jacking.prevent.x.frame.option";
private final String DEFAULT_X_FRAME_OPTION = "SAMEORIGIN";
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
String xFrameOption = System.getProperty(PROP_KEY_X_FRAME_OPTION);
if(xFrameOption == null ) {
xFrameOption = DEFAULT_X_FRAME_OPTION;
}
response.addHeader("X-FRAME-OPTIONS", xFrameOption);
LOG.debug(" ######## SET X-FRAME-OPTIONS to "+ xFrameOption +" ############ ");
this.getNext().invoke(request, response);
}
}
这是向响应添加过滤器的另一种方法。在“ jboss-5.1 \ server \\ deployers \ jbossweb.deployer”位置中有web.xml文件。此文件中有一个名为“ CommonHeadersFilter”的过滤器。您可以在此处添加“ x-frame-options”标题。我将其添加为尝试解决此问题的另一种方式。但这不适用于根网址。这可能有助于解决另一种情况。
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>
org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>
</init-param>
<init-param>
<param-name>X-FRAME-OPTIONS</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CommonHeadersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>