From b89dba1982d0ba0ec38d0fa00e8458b6f52f7d6d Mon Sep 17 00:00:00 2001
From: Jim Blake <jeb228@cornell.edu>
Date: Wed, 17 Sep 2014 12:54:29 -0400
Subject: [PATCH] VIVO-862 add a filter to prevent Clickjacking.

---
 .../vitro/webapp/filters/ClickjackFilter.java | 44 +++++++++++++++++++
 webapp/web/WEB-INF/web.xml                    | 11 +++++
 2 files changed, 55 insertions(+)
 create mode 100644 webapp/src/edu/cornell/mannlib/vitro/webapp/filters/ClickjackFilter.java

diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/ClickjackFilter.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/ClickjackFilter.java
new file mode 100644
index 000000000..43f598c52
--- /dev/null
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/ClickjackFilter.java
@@ -0,0 +1,44 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.filters;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
+ * decide to implement) not to display this content in a frame.
+ * 
+ * For details, refer to
+ * http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx,
+ * https://www.owasp.org/index.php/ClickjackFilter_for_Java_EE
+ */
+public class ClickjackFilter implements Filter {
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response,
+			FilterChain chain) throws IOException, ServletException {
+		if (response instanceof HttpServletResponse) {
+			((HttpServletResponse) response).setHeader("X-FRAME-OPTIONS",
+					"SAMEORIGIN");
+		}
+		chain.doFilter(request, response);
+	}
+
+	@Override
+	public void init(FilterConfig fc) throws ServletException {
+		// Nothing to set up.
+	}
+
+	@Override
+	public void destroy() {
+		// Nothing to tear down.
+	}
+
+}
diff --git a/webapp/web/WEB-INF/web.xml b/webapp/web/WEB-INF/web.xml
index a1aeaad87..b13c3fa0e 100644
--- a/webapp/web/WEB-INF/web.xml
+++ b/webapp/web/WEB-INF/web.xml
@@ -128,6 +128,17 @@
     <dispatcher>FORWARD</dispatcher>
   </filter-mapping>
 
+  <filter>
+    <filter-name>ClickjackFilter</filter-name>
+    <filter-class>edu.cornell.mannlib.vitro.webapp.filters.ClickjackFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>ClickjackFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+    <dispatcher>REQUEST</dispatcher>
+    <dispatcher>FORWARD</dispatcher>
+  </filter-mapping>
+
   <filter>
     <filter-name>PageRoutingFilter</filter-name>
     <filter-class>edu.cornell.mannlib.vitro.webapp.filters.PageRoutingFilter</filter-class>