XFrameOptionsFilter.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.security.http;

import java.io.IOException;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;

/**
 * This filter protects webapps from clickjacking attacks that
 * are possible through use of Frames to embed the resources in another
 * application and intercept clicks to accomplish nefarious things.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public class XFrameOptionsFilter implements Filter {
  public static final String X_FRAME_OPTIONS = "X-Frame-Options";
  public static final String CUSTOM_HEADER_PARAM = "xframe-options";

  private String option = "DENY";

  @Override
  public void destroy() {
  }

  @Override
  public void doFilter(ServletRequest req, ServletResponse res,
      FilterChain chain) throws IOException, ServletException {
    ((HttpServletResponse) res).setHeader(X_FRAME_OPTIONS, option);
    chain.doFilter(req,
        new XFrameOptionsResponseWrapper((HttpServletResponse) res));
  }

  @Override
  public void init(FilterConfig config) throws ServletException {
    String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
    if (customOption != null) {
      option = customOption;
    }
  }

  /**
   * Constructs a mapping of configuration properties to be used for filter
   * initialization.  The mapping includes all properties that start with the
   * specified configuration prefix.  Property names in the mapping are trimmed
   * to remove the configuration prefix.
   *
   * @param conf configuration to read
   * @param confPrefix configuration prefix
   * @return mapping of configuration properties to be used for filter
   *     initialization
   */
  public static Map<String, String> getFilterParams(Configuration conf,
      String confPrefix) {
    return conf.getPropsWithPrefix(confPrefix);
  }

  /**
   * This wrapper allows the rest of the filter pipeline to
   * see the configured value when interrogating the response.
   * It also blocks other filters from setting the value to
   * anything other than what is configured.
   *
   */
  public class XFrameOptionsResponseWrapper
      extends HttpServletResponseWrapper {
    /**
     * Ctor to take wrap the provided response.
     * @param response the response to wrap
     */
    public XFrameOptionsResponseWrapper(HttpServletResponse response) {
      super(response);
    }

    @Override
    public void addHeader(String name, String value) {
      // don't allow additional values to be added along
      // with the configured options value
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.addHeader(name, value);
      }
    }

    @Override
    public void setHeader(String name, String value) {
      // don't allow overwriting of configured value
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.setHeader(name, value);
      }
    }

    @Override
    public void setDateHeader(String name, long date) {
      // don't allow overwriting of configured value
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.setDateHeader(name, date);
      }
    }

    @Override
   public void addDateHeader(String name, long date) {
      // don't allow additional values to be added along
      // with the configured options value
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.addDateHeader(name, date);
      }
    }

    @Override
    public void setIntHeader(String name, int value) {
      // don't allow overwriting of configured value
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.setIntHeader(name, value);
      }
    }

    @Override
    // don't allow additional values to be added along
    // with the configured options value
    public void addIntHeader(String name, int value) {
      if (!name.equals(X_FRAME_OPTIONS)) {
        super.addIntHeader(name, value);
      }
    }

    @Override
    public boolean containsHeader(String name) {
      boolean contains = false;
      // allow the filterchain and subsequent
      // filters to see that the header is set
      if (name.equals(X_FRAME_OPTIONS)) {
        return (option != null);
      } else {
        super.containsHeader(name);
      }
      return contains;
    }
  }
}