XFrameOptionsFilter.java

/* (c) 2017 Open Source Geospatial Foundation - all rights reserved
 * This code is licensed under the GPL 2.0 license, available at the root
 * application directory.
 */
package org.geoserver.filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.geoserver.platform.GeoServerExtensions;

/**
 * Simple filter to set X-Frame-Options header to prevent click jacking attacks. This filter is
 * controlled by two system properties:
 * <br/>
 *
 * - geoserver.xframe.shouldSetPolicy: controls whether the X-Frame-Options filter should be set
 *   at all. Default is true.
 * <br/>
 * - geoserver.xframe.policy: controls what the set the X-Frame-Options header to. Default is SAMEORIGIN
 *   valid options are DENY, SAMEORIGIN and ALLOW-FROM [uri]
 *
 * <br/>
 *
 * These properties can be set via command line -D arg, web.xml init or environment variable.
 */
public class XFrameOptionsFilter implements Filter {

    private static final boolean DEFAULT_SHOULD_SET_POLICY = true;
    private static final String DEFAULT_FRAME_POLICY = "SAMEORIGIN";
    private static final String X_FRAME_OPTIONS = "X-Frame-Options";

    /**
     * The system property to set whether the X-Frame-Options header should be set
     */
    public static final String GEOSERVER_XFRAME_SHOULD_SET_POLICY =
        "geoserver.xframe.shouldSetPolicy";

    /**
     * The system property for the value of the X-Frame-Options header
     */
    public static final String GEOSERVER_XFRAME_POLICY = "geoserver.xframe.policy";

    /**
     * Whether the X-Frame-Option header should be set at all. Check this on the fly for easier
     * testing and in order to potentially make this a GUI controlled option in the future.
     * @return
     */
    private static boolean shouldSetPolicy() {
        boolean shouldSetPolicy = DEFAULT_SHOULD_SET_POLICY;
        if (StringUtils.isNotEmpty(GeoServerExtensions.getProperty(GEOSERVER_XFRAME_SHOULD_SET_POLICY))) {
            shouldSetPolicy = Boolean.parseBoolean(GeoServerExtensions.getProperty(GEOSERVER_XFRAME_SHOULD_SET_POLICY));
        }

        return shouldSetPolicy;
    }

    private static String getFramePolicy() {
        String framePolicy = DEFAULT_FRAME_POLICY;
        if (StringUtils.isNotEmpty(GeoServerExtensions.getProperty(GEOSERVER_XFRAME_POLICY))) {
            framePolicy = GeoServerExtensions.getProperty(GEOSERVER_XFRAME_POLICY);
        }

        return framePolicy;
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        if (shouldSetPolicy()) {
            HttpServletResponse httpResponse = (HttpServletResponse)response;
            httpResponse.setHeader(X_FRAME_OPTIONS, getFramePolicy());
        }

        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}