X-Frame-Options相关文件

package com.hd.platform.devlActions; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.filters.FilterBase; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; public class CntenHttpHeaderSecurityFilter extends FilterBase{ private static final Log log = LogFactory.getLog(CntenHttpHeaderSecurityFilter.class); private static final String HSTS_HEADER_NAME = "Strict-Transport-Security"; private boolean hstsEnabled; private int hstsMaxAgeSeconds; private boolean hstsIncludeSubDomains; private String hstsHeaderValue; private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options"; private boolean antiClickJackingEnabled; private XFrameOption antiClickJackingOption; private URI antiClickJackingUri; private String antiClickJackingHeaderValue; private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME = "X-Content-Type-Options"; private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff"; private boolean blockContentTypeSniffingEnabled; public CntenHttpHeaderSecurityFilter() { this.hstsEnabled = true; this.hstsMaxAgeSeconds = 0; this.hstsIncludeSubDomains = false; this.antiClickJackingEnabled = true; this.antiClickJackingOption = XFrameOption.DENY; this.blockContentTypeSniffingEnabled = true; } public void init(FilterConfig filterConfig) throws ServletException { super.init(filterConfig); StringBuilder hstsValue = new StringBuilder("max-age="); hstsValue.append(this.hstsMaxAgeSeconds); if (this.hstsIncludeSubDomains) { hstsValue.append(";includeSubDomains"); } this.hstsHeaderValue = hstsValue.toString(); StringBuilder cjValue = new StringBuilder(this.antiClickJackingOption.headerValue); if (this.antiClickJackingOption == XFrameOption.ALLOW_FROM) { cjValue.append(':'); cjValue.append(this.antiClickJackingUri); } this.antiClickJackingHeaderValue = cjValue.toString(); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (response.isCommitted()) { throw new ServletException(sm.getString("httpHeaderSecurityFilter.committed")); } if ((this.hstsEnabled) && (request.isSecure()) && ((response instanceof HttpServletResponse))) { ((HttpServletResponse)response).setHeader("Strict-Transport-Security", this.hstsHeaderValue); } if ((this.antiClickJackingEnabled) && ((response instanceof HttpServletResponse))) { ((HttpServletResponse)response).setHeader("X-Frame-Options", this.antiClickJackingHeaderValue); } if ((this.blockContentTypeSniffingEnabled) && ((response instanceof HttpServletResponse))) { ((HttpServletResponse)response).setHeader("X-Content-Type-Options", "nosniff"); } chain.doFilter(request, response); } protected Log getLogger() { return log; } protected boolean isConfigProblemFatal() { return true; } public boolean isHstsEnabled() { return this.hstsEnabled; } public void setHstsEnabled(boolean hstsEnabled) { this.hstsEnabled = hstsEnabled; } public int getHstsMaxAgeSeconds() { return this.hstsMaxAgeSeconds; } public void setHstsMaxAgeSeconds(int hstsMaxAgeSeconds) { if (hstsMaxAgeSeconds < 0) this.hstsMaxAgeSeconds = 0; else this.hstsMaxAgeSeconds = hstsMaxAgeSeconds; } public boolean isHstsIncludeSubDomains() { return this.hstsIncludeSubDomains; } public void setHstsIncludeSubDomains(boolean hstsIncludeSubDomains) { this.hstsIncludeSubDomains = hstsIncludeSubDomains; } public boolean isAntiClickJackingEnabled() { return this.antiClickJackingEnabled; } public void setAntiClickJackingEnabled(boolean antiClickJackingEnabled) { this.antiClickJackingEnabled = antiClickJackingEnabled; } public String getAntiClickJackingOption() { return this.antiClickJackingOption.toString(); } public void setAntiClickJackingOption(String antiClickJackingOption) { for (XFrameOption option : XFrameOption.values()) { if (option.getHeaderValue().equalsIgnoreCase(antiClickJackingOption)) { this.antiClickJackingOption = option; return; } } throw new IllegalArgumentException(sm.getString("httpHeaderSecurityFilter.clickjack.invalid", new Object[] { antiClickJackingOption })); } public String getAntiClickJackingUri() { return this.antiClickJackingUri.toString(); } public boolean isBlockContentTypeSniffingEnabled() { return this.blockContentTypeSniffingEnabled; } public void setBlockContentTypeSniffingEnabled(boolean blockContentTypeSniffingEnabled) { this.blockContentTypeSniffingEnabled = blockContentTypeSniffingEnabled; } public void setAntiClickJackingUri(String antiClickJackingUri) { URI uri; try { uri = new URI(antiClickJackingUri); } catch (URISyntaxException e) { uri = null; throw new IllegalArgumentException(e); } this.antiClickJackingUri = uri; } private static enum XFrameOption { DENY("DENY"), SAME_ORIGIN("SAMEORIGIN"), ALLOW_FROM("ALLOW-FROM"); private final String headerValue; private XFrameOption(String headerValue) { this.headerValue = headerValue; } public String getHeaderValue() { return this.headerValue; } } }