Skip to content

Commit

Permalink
attempt to override a class, remove spring placeholder from substitution
Browse files Browse the repository at this point in the history
web.xml
  • Loading branch information
cmangeat committed Oct 31, 2024
1 parent 984088f commit ecf1a93
Show file tree
Hide file tree
Showing 4 changed files with 660 additions and 9 deletions.
3 changes: 1 addition & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.11</source>
<target>1.11</target>
<release>11</release>
<debug>true</debug>
<encoding>UTF-8</encoding>
<fork>${fork.javac}</fork>
Expand Down
23 changes: 16 additions & 7 deletions web/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<artifactId>geonetwork</artifactId>
<version>4.4.6-0</version>
</parent>

<artifactId>web</artifactId>
<packaging>war</packaging>

Expand All @@ -17,12 +17,12 @@
Web application using maven war overlay functionality to reuse
geonetwork war and hnap schema plugin for ${customer}.
</description>

<properties>
<build.webapp.resources>${project.build.directory}/webapp</build.webapp.resources>
<jetty.env>jetty-env.xml</jetty.env>
</properties>

<dependencies>
<!-- war includes prebuilt geonetwork jars -->
<dependency>
Expand All @@ -32,12 +32,21 @@
<type>war</type>
<scope>runtime</scope>
</dependency>

<!-- used to compile, already included in war -->
<dependency>
<groupId>org.geonetwork-opensource</groupId>
<artifactId>gn-web-app</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
<classifier>classes</classifier>
</dependency>
</dependencies>

<build>
<finalName>geonetwork</finalName>
<plugins>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
Expand All @@ -50,7 +59,7 @@
</overlays>
</configuration>
</plugin>

<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
Expand All @@ -71,7 +80,7 @@
</dependencies>-->
</plugin>
</plugins>

</build>

</project>
Expand Down
138 changes: 138 additions & 0 deletions web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
/*
* Copyright (C) 2001-2016 Food and Agriculture Organization of the
* United Nations (FAO-UN), United Nations World Food Programme (WFP)
* and United Nations Environment Programme (UNEP)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
* Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
* Rome - Italy. email: [email protected]
*/
package org.fao.geonet.web;

import org.apache.commons.lang.StringUtils;
import org.fao.geonet.constants.Geonet;
import org.fao.geonet.utils.Log;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;

/**
* Filter to avoid clickjaking attacks.
*
* See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.
*
* Modes supported:
* - DENY: prevents any domain from framing the content.
* - SAMEORIGIN, which only allows the current site to frame the content.
* - ALLOW-FROM uri, which permits the specified 'uri' to frame this page.
* Not all browsers support this mode.
*
* Any other value will default to DENY.
*
* Sets X-Frame-Options and Content-Security-Policy (for frame-ancestors) headers.
*
* @author Jose García
*/
public class XFrameOptionsFilter implements Filter {
private static String MODE_DENY = "DENY";
private static String MODE_SAMEORIGIN = "SAMEORIGIN";
private static String MODE_ALLOWFROM = "ALLOW-FROM";

private String mode;
private String url;
private String domain;

public void init(FilterConfig filterConfig) throws ServletException {
mode = filterConfig.getInitParameter("mode");
url = filterConfig.getInitParameter("url");

// Mode: DENY, SAMEORIGIN, ALLOW-FROM. Any other value will default to SAMEORIGIN
if (!mode.equals(MODE_DENY) && !mode.equals(MODE_SAMEORIGIN) && !mode.equals(MODE_ALLOWFROM)) {
mode = MODE_DENY;
}

// If ALLOW-FROM, make sure a valid url is given, otherwise fallback to deny
if (mode.equals(MODE_ALLOWFROM)) {
if (StringUtils.isEmpty(url)) {
Log.info(Geonet.GEONETWORK,
"XFrameOptions filter url parameter is missing for mode ALLOW-FROM. Setting mode to DENY.");
mode = MODE_DENY;
} else {
domain = url;
}
}

if (Log.isDebugEnabled(Geonet.GEONETWORK)) {
Log.debug(Geonet.GEONETWORK, String.format(
"XFrameOptions filter initialized. Using mode %s.", getXFrameOptionsValue()));
}

}


public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {

HttpServletResponse response = (HttpServletResponse) servletResponse;
response.addHeader("X-Frame-Options", getXFrameOptionsValue());
response.addHeader("Content-Security-Policy", getContentSecurityPolicyFramAncestorsValue());

filterChain.doFilter(servletRequest, response);
}


public void destroy() {
}


/**
* Calculates the X-Frame-Options header value.
*
* @return X-Frame-Options header value.
*/
private String getXFrameOptionsValue() {
if (mode.equals(MODE_ALLOWFROM)) {
return mode + " " + url;
} else {
return mode;
}
}


/**
* Calculates the Content-Security-Policy header frame-ancestors value.
*
* @return Content-Security-Policy header frame-ancestors value.
*/
private String getContentSecurityPolicyFramAncestorsValue() {
if (mode.equals(MODE_SAMEORIGIN)) {
return "frame-ancestors 'self'";
} else if (mode.equals(MODE_ALLOWFROM)) {
return "frame-ancestors " + domain;
} else {
return "frame-ancestors 'none'";
}
}

}
Loading

0 comments on commit ecf1a93

Please sign in to comment.