/** * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.keybox.common.interceptor; import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.ActionInvocation; import com.opensymphony.xwork2.interceptor.AbstractInterceptor; import org.apache.struts2.StrutsStatics; import javax.servlet.http.HttpServletResponse; public class ClickjackingInterceptor extends AbstractInterceptor { /** * Clickjacking, also known as a "UI redress attack", is when an attacker * uses multiple transparent or opaque layers to trick a user into clicking * on a button or link on another page when they were intending to click on * the the top level page. Thus, the attacker is "hijacking" clicks meant * for their page and routing them to another page, most likely owned by * another application, domain, or both. * https://www.owasp.org/index.php/Clickjacking */ private static final long serialVersionUID = 2438421386123540997L; private static final String HEADER = "X-Frame-Options"; private static final String VALUE = "SAMEORIGIN"; @Override public String intercept(ActionInvocation invocation) throws Exception { ActionContext context = invocation.getInvocationContext(); HttpServletResponse response = (HttpServletResponse) context.get(StrutsStatics.HTTP_RESPONSE); String headerValue = VALUE; response.addHeader(HEADER, headerValue); return invocation.invoke(); } }