2

我需要拒绝来自我的应用程序的点击劫持威胁。它的 java 应用程序 & 部署在 jboss 5.1 服务器中。正如许多地方建议的那样,要摆脱这种情况,需要避免在 iframe 中加载应用程序。为此,我尝试将标头添加到 http 响应中。我在 web xml 中添加了过滤器并将 X-FRAME-OPTIONS 标头设置为 DENY。我将 URLPATTERN 添加为 /*。我用 iframe 创建了 html 并添加了 src url 来测试。应用程序作为服务器的根目录加载,例如:http://localhost:8080。它没有应用此根 URL 的标头。但它适用于带有任何其他修改 url 的基本 url。

前任:

是否有任何其他配置可以在 jboss5.1 中获取根 url 的响应标头?

这是更改

web.xml

<filter>
    <filter-name>ClickjackPreventionFilter</filter-name>
    <filter-class>com.base.presentation.filters.ClickJackingPreventionFilter</filter-class>
    <init-param>
        <param-name>mode</param-name>
        <param-value>DENY</param-value>
    </init-param>
</filter>
<filter-mapping> 
    <filter-name>ClickjackPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

点击JackingPreventionFilter.java

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickJackingPreventionFilter implements Filter{
    private String mode = "DENY";

    @Override
    public void destroy() {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );
        chain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
}
4

1 回答 1

1

我能够解决这个问题。我添加了 jboss 阀门。jboss 阀门比过滤器更抽象。通过扩展valvebase类创建类并在“jboss-5.1\server\\deploy\jbossweb.sar”位置的server.xml文件中添加阀门条目。这是类和阀门条目。阀门条目应包含在 Engine >> Host 标记中。

server.xml 条目

<Valve className="com.yourxcompany.jboss.valve.ClickJackingPreventionValve"/>

ClickJackingPreventionValve.java

import java.io.IOException;

import javax.servlet.ServletException;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;

public class ClickJackingPreventionValve extends ValveBase{

   private static Logger LOG = Logger.getLogger(ClickJackingPreventionValve.class);

   private final String PROP_KEY_X_FRAME_OPTION = 
   "jboss.util.click.jacking.prevent.x.frame.option";

   private final String DEFAULT_X_FRAME_OPTION = "SAMEORIGIN";

@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
    String xFrameOption = System.getProperty(PROP_KEY_X_FRAME_OPTION);
    if(xFrameOption == null ) {
        xFrameOption = DEFAULT_X_FRAME_OPTION;
    }
    response.addHeader("X-FRAME-OPTIONS", xFrameOption);
    LOG.debug(" ######## SET X-FRAME-OPTIONS to "+ xFrameOption +" ############ ");

    this.getNext().invoke(request, response);
}

}

这是另一种向响应添加过滤器的方法。在“jboss-5.1\server\\deployers\jbossweb.deployer”位置有 web.xml 文件。此文件中有一个名为“CommonHeadersFilter”的过滤器。您可以在此处添加“x-frame-options”标头。我将此添加为我尝试解决此问题的另一种方式。但这不适用于根 URL。这可能有助于完成另一种情况。

   <filter>
     <filter-name>CommonHeadersFilter</filter-name>
     <filter-class>
        org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
     <init-param>
       <param-name>X-Powered-By</param-name>
       <param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>
     </init-param>
     <init-param>
       <param-name>X-FRAME-OPTIONS</param-name>
       <param-value>DENY</param-value>
     </init-param>
 </filter>

 <filter-mapping>
    <filter-name>CommonHeadersFilter</filter-name>
    <url-pattern>/*</url-pattern>
 </filter-mapping>
于 2018-08-01T04:17:28.717 回答