This is an automated email from the ASF dual-hosted git repository. ilgrosso pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/master by this push: new c30b884 Enable security-related HTTP headers in the console c30b884 is described below commit c30b88435355d51baf43c24f05da72f2868635b3 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Thu Feb 14 18:17:43 2019 +0000 Enable security-related HTTP headers in the console --- .../syncope/client/enduser/SyncopeEnduserApplication.java | 2 +- .../syncope/client/enduser/SyncopeWebApplication.java | 14 ++++++++++++++ .../syncope/client/console/SyncopeWebApplication.java | 13 +++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java index c96da75..fb13f42 100644 --- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java +++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java @@ -58,4 +58,4 @@ public class SyncopeEnduserApplication extends SpringBootServletInitializer impl lookup.load(); return lookup; } -} +} \ No newline at end of file diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java index f6ba9ad..b5ed2c2 100644 --- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java +++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java @@ -49,6 +49,9 @@ import org.apache.wicket.WicketRuntimeException; import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.Request; import org.apache.wicket.request.Response; +import org.apache.wicket.request.cycle.IRequestCycleListener; +import org.apache.wicket.request.cycle.RequestCycle; +import org.apache.wicket.request.http.WebResponse; import org.apache.wicket.request.resource.AbstractResource; import org.apache.wicket.request.resource.IResource; import org.apache.wicket.request.resource.ResourceReference; @@ -305,6 +308,17 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication { } }); } + + getRequestCycleListeners().add(new IRequestCycleListener() { + + @Override + public void onEndRequest(final RequestCycle cycle) { + WebResponse response = (WebResponse) cycle.getResponse(); + response.setHeader("X-XSS-Protection", "1; mode=block"); + response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("X-Frame-Options", "sameorigin"); + } + }); } @Override diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java index e59aa76..1e81408 100644 --- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java +++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java @@ -59,6 +59,8 @@ import org.apache.wicket.authroles.authorization.strategies.role.metadata.MetaDa import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener; import org.apache.wicket.protocol.http.WebApplication; +import org.apache.wicket.request.cycle.RequestCycle; +import org.apache.wicket.request.http.WebResponse; import org.apache.wicket.request.resource.AbstractResource; import org.apache.wicket.request.resource.IResource; import org.apache.wicket.request.resource.ResourceReference; @@ -69,6 +71,7 @@ import org.slf4j.LoggerFactory; import org.apache.syncope.client.console.commons.ExternalResourceProvider; import org.apache.syncope.client.console.commons.StatusProvider; import org.apache.syncope.client.console.commons.VirSchemaDetailsPanelProvider; +import org.apache.wicket.request.cycle.IRequestCycleListener; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -228,6 +231,16 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication { getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); } getRequestCycleListeners().add(new SyncopeConsoleRequestCycleListener()); + getRequestCycleListeners().add(new IRequestCycleListener() { + + @Override + public void onEndRequest(final RequestCycle cycle) { + WebResponse response = (WebResponse) cycle.getResponse(); + response.setHeader("X-XSS-Protection", "1; mode=block"); + response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("X-Frame-Options", "sameorigin"); + } + }); mountPage("/login", getSignInPageClass());