Author: jleroux
Date: Sat Dec 12 11:37:56 2015
New Revision: 1719660
URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
Log:
1st step for "Secure HTTP headers"
https://issues.apache.org/jira/browse/OFBIZ-6766
Here are X-Frame-Options and Strict-Transport-Security, just a start...
Modified:
ofbiz/trunk/framework/webapp/config/requestHandler.properties
ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
+++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12
11:37:56 2015
@@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
status-code=302
# -- Default Content-Disposition type
-#-- attachment might be replaced by inline if you prefer to offer this option
to your users.
+# attachment might be replaced by inline if you prefer to offer this option
to your users.
# attachment is supposed to be more secure, but this is a bit unclear see
OFBIZ-6702 for details
-content-disposition-type=attachment
\ No newline at end of file
+content-disposition-type=attachment
+
+# -- Should we use strict-transport-security? True by default.
+# Use false if you don't have a certificate or not a signed one and it annoys you to
set "none" for each HTTP request!
+#strict-transport-security=false
\ No newline at end of file
Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
+++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
@@ -774,5 +774,38 @@ under the License.
</xs:restriction>
</xs:simpleType>
</xs:attribute>
+ <xs:attribute name="x-frame-option" default="sameorigin">
+ <xs:annotation>
+ <xs:documentation>
+ Provides clickjacking protection by instructing browsers
that this page should not be placed within a frame.
+ Possible values are:
+ deny - no rendering within a frame,
+ sameorigin - no rendering if origin mismatch, and
+ allow-from: - allow rendering if framing page is within
the specified URI domain.
+ Allow from is supported by IE and Firefox, but not Chrome
or Safari.
+ It will also interfere with In Page Google Analytics since
it requires your page to be framed by Google.
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="deny"/>
+ <xs:enumeration value="sameorigin"/>
+ <xs:enumeration value="allow-from"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute type="xs:string" name="strict-transport-security">
+ <xs:annotation>
+ <xs:documentation>
+ HTTP Strict-Transport-Security (HSTS) enforces secure
(HTTP over SSL/TLS) connections to the server.
+ This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against
Man-in-the-middle attacks.
+ HSTS also disables the ability for users to ignore SSL
negotiation warnings.
+ If the security of the connection cannot be ensured (e.g.
the server's TLS certificate is not trusted),
+ it shows an error message and do not allow the user to
access the web application.
+ As recommended by OWASP, by default "max-age=31536000;
includeSubDomains" is used except if the server is localhost or 127.0.0.1.
+ If the strict-transport-security is "none" then it will
not be used.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
</xs:attributeGroup>
</xs:schema>
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
Sat Dec 12 11:37:56 2015
@@ -622,6 +622,8 @@ public class ConfigXMLReader {
public String info;
public String contentType;
public String encoding;
+ public String xFrameOption;
+ public String strictTransportSecurity;
public String description;
public boolean noCache = false;
@@ -633,6 +635,8 @@ public class ConfigXMLReader {
this.contentType = viewMapElement.getAttribute("content-type");
this.noCache =
"true".equals(viewMapElement.getAttribute("no-cache"));
this.encoding = viewMapElement.getAttribute("encoding");
+ this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
+ this.strictTransportSecurity =
viewMapElement.getAttribute("strict-transport-security");
this.description = UtilXml.childElementValue(viewMapElement,
"description");
if (UtilValidate.isEmpty(this.page)) {
this.page = this.name;
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Sat Dec 12 11:37:56 2015
@@ -128,7 +128,7 @@ public class RequestHandler {
public void doRequest(HttpServletRequest request, HttpServletResponse
response, String chain,
GenericValue userLogin, Delegator delegator) throws
RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
- final boolean throwRequestHandlerExceptionOnMissingLocalRequest =
EntityUtilProperties.propertyValueEqualsIgnoreCase(
+ final boolean throwRequestHandlerExceptionOnMissingLocalRequest =
EntityUtilProperties.propertyValueEqualsIgnoreCase(
"requestHandler.properties",
"throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
long startTime = System.currentTimeMillis();
HttpSession session = request.getSession();
@@ -694,7 +694,7 @@ public class RequestHandler {
viewName = nextRequestResponse.value;
}
if (UtilValidate.isEmpty(viewName) &&
UtilValidate.isNotEmpty(nextRequestResponse.value)) {
- viewName = nextRequestResponse.value;
+ viewName = nextRequestResponse.value;
}
if (urlParams != null) {
for (Map.Entry<String, Object> urlParamEntry:
urlParams.entrySet()) {
@@ -984,6 +984,26 @@ public class RequestHandler {
UtilHttp.setResponseBrowserProxyNoCache(resp);
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view
[" + nextPage + "]", module);
}
+
+ String xFrameOption = viewMap.xFrameOption;
+ // default to sameorigin
+ if (UtilValidate.isNotEmpty(xFrameOption)) {
+ resp.addHeader("x-frame-options", xFrameOption);
+ } else {
+ resp.addHeader("x-frame-options", "sameorigin");
+ }
+
+ String strictTransportSecurity = viewMap.strictTransportSecurity;
+ // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1
year
+ if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
+ if (!"none".equals(strictTransportSecurity)) {
+ resp.addHeader("strict-transport-security",
strictTransportSecurity);
+ }
+ } else {
+ if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass
req.getAttribute("delegator") as last argument
+ resp.addHeader("strict-transport-security", "max-age=31536000;
includeSubDomains");
+ }
+ }
try {
if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of
type [" + viewMap.type + "]", module);
@@ -1024,7 +1044,7 @@ public class RequestHandler {
*/
@Deprecated
public static String getDefaultServerRootUrl(HttpServletRequest request,
boolean secure) {
- Delegator delegator = (Delegator) request.getAttribute("delegator");
+ Delegator delegator = (Delegator) request.getAttribute("delegator");
String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https",
"443", delegator);
String httpsServer = EntityUtilProperties.getPropertyValue("url",
"force.https.host", delegator);
String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http",
"80", delegator);
