hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/XFrameOptionsFilter.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.security.http;

 import java.io.IOException;
 import java.util.Map;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;

 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;

 /**
  * This filter protects webapps from clickjacking attacks that
  * are possible through use of Frames to embed the resources in another
  * application and intercept clicks to accomplish nefarious things.
  */
 @InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class XFrameOptionsFilter implements Filter {
   public static final String X_FRAME_OPTIONS = "X-Frame-Options";
   public static final String CUSTOM_HEADER_PARAM = "xframe-options";

   private String option = "DENY";

   @Override
   public void destroy() {
   }

   @Override
   public void doFilter(ServletRequest req, ServletResponse res,
       FilterChain chain) throws IOException, ServletException {
     ((HttpServletResponse) res).setHeader(X_FRAME_OPTIONS, option);
     chain.doFilter(req,
         new XFrameOptionsResponseWrapper((HttpServletResponse) res));
   }

   @Override
   public void init(FilterConfig config) throws ServletException {
     String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
     if (customOption != null) {
       option = customOption;
     }
   }

   /**
    * Constructs a mapping of configuration properties to be used for filter
    * initialization.  The mapping includes all properties that start with the
    * specified configuration prefix.  Property names in the mapping are trimmed
    * to remove the configuration prefix.
    *
    * @param conf configuration to read
    * @param confPrefix configuration prefix
    * @return mapping of configuration properties to be used for filter
    *     initialization
    */
   public static Map<String, String> getFilterParams(Configuration conf,
       String confPrefix) {
     return conf.getPropsWithPrefix(confPrefix);
   }

   /**
    * This wrapper allows the rest of the filter pipeline to
    * see the configured value when interrogating the response.
    * It also blocks other filters from setting the value to
    * anything other than what is configured.
    *
    */
   public class XFrameOptionsResponseWrapper
       extends HttpServletResponseWrapper {
     /**
      * Ctor to take wrap the provided response.
      * @param response the response to wrap
      */
     public XFrameOptionsResponseWrapper(HttpServletResponse response) {
       super(response);
     }

     @Override
     public void addHeader(String name, String value) {
       // don't allow additional values to be added along
       // with the configured options value
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.addHeader(name, value);
       }
     }

     @Override
     public void setHeader(String name, String value) {
       // don't allow overwriting of configured value
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.setHeader(name, value);
       }
     }

     @Override
     public void setDateHeader(String name, long date) {
       // don't allow overwriting of configured value
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.setDateHeader(name, date);
       }
     }

     @Override
    public void addDateHeader(String name, long date) {
       // don't allow additional values to be added along
       // with the configured options value
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.addDateHeader(name, date);
       }
     }

     @Override
     public void setIntHeader(String name, int value) {
       // don't allow overwriting of configured value
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.setIntHeader(name, value);
       }
     }

     @Override
     // don't allow additional values to be added along
     // with the configured options value
     public void addIntHeader(String name, int value) {
       if (!name.equals(X_FRAME_OPTIONS)) {
         super.addIntHeader(name, value);
       }
     }

     @Override
     public boolean containsHeader(String name) {
       boolean contains = false;
       // allow the filterchain and subsequent
       // filters to see that the header is set
       if (name.equals(X_FRAME_OPTIONS)) {
         return (option != null);
       } else {
         super.containsHeader(name);
       }
       return contains;
     }
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.security.http;

	import java.io.IOException;
	import java.util.Map;

	import javax.servlet.Filter;
	import javax.servlet.FilterChain;
	import javax.servlet.FilterConfig;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import javax.servlet.http.HttpServletResponse;
	import javax.servlet.http.HttpServletResponseWrapper;

	import org.apache.hadoop.classification.InterfaceAudience;
	import org.apache.hadoop.classification.InterfaceStability;
	import org.apache.hadoop.conf.Configuration;

	/**
	* This filter protects webapps from clickjacking attacks that
	* are possible through use of Frames to embed the resources in another
	* application and intercept clicks to accomplish nefarious things.
	*/
	@InterfaceAudience.Public
	@InterfaceStability.Evolving
	public class XFrameOptionsFilter implements Filter {
	public static final String X_FRAME_OPTIONS = "X-Frame-Options";
	public static final String CUSTOM_HEADER_PARAM = "xframe-options";

	private String option = "DENY";

	@Override
	public void destroy() {
	}

	@Override
	public void doFilter(ServletRequest req, ServletResponse res,
	FilterChain chain) throws IOException, ServletException {
	((HttpServletResponse) res).setHeader(X_FRAME_OPTIONS, option);
	chain.doFilter(req,
	new XFrameOptionsResponseWrapper((HttpServletResponse) res));
	}

	@Override
	public void init(FilterConfig config) throws ServletException {
	String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
	if (customOption != null) {
	option = customOption;
	}
	}

	/**
	* Constructs a mapping of configuration properties to be used for filter
	* initialization. The mapping includes all properties that start with the
	* specified configuration prefix. Property names in the mapping are trimmed
	* to remove the configuration prefix.
	*
	* @param conf configuration to read
	* @param confPrefix configuration prefix
	* @return mapping of configuration properties to be used for filter
	* initialization
	*/
	public static Map<String, String> getFilterParams(Configuration conf,
	String confPrefix) {
	return conf.getPropsWithPrefix(confPrefix);
	}

	/**
	* This wrapper allows the rest of the filter pipeline to
	* see the configured value when interrogating the response.
	* It also blocks other filters from setting the value to
	* anything other than what is configured.
	*
	*/
	public class XFrameOptionsResponseWrapper
	extends HttpServletResponseWrapper {
	/**
	* Ctor to take wrap the provided response.
	* @param response the response to wrap
	*/
	public XFrameOptionsResponseWrapper(HttpServletResponse response) {
	super(response);
	}

	@Override
	public void addHeader(String name, String value) {
	// don't allow additional values to be added along
	// with the configured options value
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.addHeader(name, value);
	}
	}

	@Override
	public void setHeader(String name, String value) {
	// don't allow overwriting of configured value
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.setHeader(name, value);
	}
	}

	@Override
	public void setDateHeader(String name, long date) {
	// don't allow overwriting of configured value
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.setDateHeader(name, date);
	}
	}

	@Override
	public void addDateHeader(String name, long date) {
	// don't allow additional values to be added along
	// with the configured options value
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.addDateHeader(name, date);
	}
	}

	@Override
	public void setIntHeader(String name, int value) {
	// don't allow overwriting of configured value
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.setIntHeader(name, value);
	}
	}

	@Override
	// don't allow additional values to be added along
	// with the configured options value
	public void addIntHeader(String name, int value) {
	if (!name.equals(X_FRAME_OPTIONS)) {
	super.addIntHeader(name, value);
	}
	}

	@Override
	public boolean containsHeader(String name) {
	boolean contains = false;
	// allow the filterchain and subsequent
	// filters to see that the header is set
	if (name.equals(X_FRAME_OPTIONS)) {
	return (option != null);
	} else {
	super.containsHeader(name);
	}
	return contains;
	}
	}
	}