package com.hd.platform.devlActions;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.filters.FilterBase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
public class CntenHttpHeaderSecurityFilter extends FilterBase{
private static final Log log = LogFactory.getLog(CntenHttpHeaderSecurityFilter.class);
private static final String HSTS_HEADER_NAME = "Strict-Transport-Security";
private boolean hstsEnabled;
private int hstsMaxAgeSeconds;
private boolean hstsIncludeSubDomains;
private String hstsHeaderValue;
private static final String ANTI_CLICK_JACKING_HEADER_NAME = "X-Frame-Options";
private boolean antiClickJackingEnabled;
private XFrameOption antiClickJackingOption;
private URI antiClickJackingUri;
private String antiClickJackingHeaderValue;
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME = "X-Content-Type-Options";
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff";
private boolean blockContentTypeSniffingEnabled;
public CntenHttpHeaderSecurityFilter()
{
this.hstsEnabled = true;
this.hstsMaxAgeSeconds = 0;
this.hstsIncludeSubDomains = false;
this.antiClickJackingEnabled = true;
this.antiClickJackingOption = XFrameOption.DENY;
this.blockContentTypeSniffingEnabled = true;
}
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
StringBuilder hstsValue = new StringBuilder("max-age=");
hstsValue.append(this.hstsMaxAgeSeconds);
if (this.hstsIncludeSubDomains) {
hstsValue.append(";includeSubDomains");
}
this.hstsHeaderValue = hstsValue.toString();
StringBuilder cjValue = new StringBuilder(this.antiClickJackingOption.headerValue);
if (this.antiClickJackingOption == XFrameOption.ALLOW_FROM) {
cjValue.append(':');
cjValue.append(this.antiClickJackingUri);
}
this.antiClickJackingHeaderValue = cjValue.toString();
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
if (response.isCommitted()) {
throw new ServletException(sm.getString("httpHeaderSecurityFilter.committed"));
}
if ((this.hstsEnabled) && (request.isSecure()) && ((response instanceof HttpServletResponse))) {
((HttpServletResponse)response).setHeader("Strict-Transport-Security", this.hstsHeaderValue);
}
if ((this.antiClickJackingEnabled) && ((response instanceof HttpServletResponse))) {
((HttpServletResponse)response).setHeader("X-Frame-Options", this.antiClickJackingHeaderValue);
}
if ((this.blockContentTypeSniffingEnabled) && ((response instanceof HttpServletResponse))) {
((HttpServletResponse)response).setHeader("X-Content-Type-Options", "nosniff");
}
chain.doFilter(request, response);
}
protected Log getLogger()
{
return log;
}
protected boolean isConfigProblemFatal()
{
return true;
}
public boolean isHstsEnabled()
{
return this.hstsEnabled;
}
public void setHstsEnabled(boolean hstsEnabled)
{
this.hstsEnabled = hstsEnabled;
}
public int getHstsMaxAgeSeconds()
{
return this.hstsMaxAgeSeconds;
}
public void setHstsMaxAgeSeconds(int hstsMaxAgeSeconds)
{
if (hstsMaxAgeSeconds < 0)
this.hstsMaxAgeSeconds = 0;
else
this.hstsMaxAgeSeconds = hstsMaxAgeSeconds;
}
public boolean isHstsIncludeSubDomains()
{
return this.hstsIncludeSubDomains;
}
public void setHstsIncludeSubDomains(boolean hstsIncludeSubDomains)
{
this.hstsIncludeSubDomains = hstsIncludeSubDomains;
}
public boolean isAntiClickJackingEnabled()
{
return this.antiClickJackingEnabled;
}
public void setAntiClickJackingEnabled(boolean antiClickJackingEnabled)
{
this.antiClickJackingEnabled = antiClickJackingEnabled;
}
public String getAntiClickJackingOption()
{
return this.antiClickJackingOption.toString();
}
public void setAntiClickJackingOption(String antiClickJackingOption)
{
for (XFrameOption option : XFrameOption.values()) {
if (option.getHeaderValue().equalsIgnoreCase(antiClickJackingOption)) {
this.antiClickJackingOption = option;
return;
}
}
throw new IllegalArgumentException(sm.getString("httpHeaderSecurityFilter.clickjack.invalid", new Object[] { antiClickJackingOption }));
}
public String getAntiClickJackingUri()
{
return this.antiClickJackingUri.toString();
}
public boolean isBlockContentTypeSniffingEnabled()
{
return this.blockContentTypeSniffingEnabled;
}
public void setBlockContentTypeSniffingEnabled(boolean blockContentTypeSniffingEnabled)
{
this.blockContentTypeSniffingEnabled = blockContentTypeSniffingEnabled;
}
public void setAntiClickJackingUri(String antiClickJackingUri)
{
URI uri;
try
{
uri = new URI(antiClickJackingUri);
}
catch (URISyntaxException e)
{
uri = null;
throw new IllegalArgumentException(e);
}
this.antiClickJackingUri = uri;
}
private static enum XFrameOption
{
DENY("DENY"),
SAME_ORIGIN("SAMEORIGIN"),
ALLOW_FROM("ALLOW-FROM");
private final String headerValue;
private XFrameOption(String headerValue) {
this.headerValue = headerValue;
}
public String getHeaderValue() {
return this.headerValue;
}
}
}
没有合适的资源?快使用搜索试试~ 我知道了~
X-Frame-Options相关文件
共4个文件
doc:1个
xml:1个
jar:1个
4星 · 超过85%的资源 需积分: 42 44 下载量 35 浏览量
2018-08-27
15:49:11
上传
评论
收藏 640KB ZIP 举报
温馨提示
点击劫持:X-Frame-Options头缺失 in a frame because it set 'X-Frame-Options' to 'deny'
资源推荐
资源详情
资源评论
收起资源包目录
X-Frame-Options相关文件.zip (4个子文件)
tomcat-juli-9.0.11.jar 46KB
渗透报告.doc 697KB
CntenHttpHeaderSecurityFilter.java 6KB
web.xml 842B
共 4 条
- 1
资源评论
- dragonpeng20082019-07-08感谢提供,有帮助,正好要解决这个问题
- hgghxl2019-05-28有帮助,就是太贵了陕西赢益园林科技有限公司2019-07-16我想了想,都是程序员,程序员何苦难为程序员呢,我给你下载回去吧。我还有些积分陕西赢益园林科技有限公司2019-05-29谢谢
陕西赢益园林科技有限公司
- 粉丝: 11
- 资源: 14
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 批量将py编译为pyd文件.atbx
- Python项目-学生管理系统
- verilog HDL硬件语法设计包括算术运算三人表决器Verilog的阻塞和非阻塞赋值源码例程quartus13.1工程合集
- 【文章话题分类论文】OpenAlex Topic Classification Whitepaper
- linux学习常用命令
- 功率拓扑快速参考指南-ti,TI官方出品
- 开关电源拓朴图表,各种电路拓扑表格
- 登录和注册 前端:vue3+iview plus +axios 后台:spring boot +mybatis
- 软件测试入门简介:从基础到实践的全面介绍
- 2024CDA Level Ⅰ 认证考试大纲
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功