You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/02/15 12:09:15 UTC

[syncope] branch master updated: Enable security-related HTTP headers in the console

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/master by this push:
     new c30b884  Enable security-related HTTP headers in the console
c30b884 is described below

commit c30b88435355d51baf43c24f05da72f2868635b3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Feb 14 18:17:43 2019 +0000

    Enable security-related HTTP headers in the console
---
 .../syncope/client/enduser/SyncopeEnduserApplication.java  |  2 +-
 .../syncope/client/enduser/SyncopeWebApplication.java      | 14 ++++++++++++++
 .../syncope/client/console/SyncopeWebApplication.java      | 13 +++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
index c96da75..fb13f42 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
@@ -58,4 +58,4 @@ public class SyncopeEnduserApplication extends SpringBootServletInitializer impl
         lookup.load();
         return lookup;
     }
-}
+}
\ No newline at end of file
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
index f6ba9ad..b5ed2c2 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
@@ -49,6 +49,9 @@ import org.apache.wicket.WicketRuntimeException;
 import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.Request;
 import org.apache.wicket.request.Response;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
 import org.apache.wicket.request.resource.AbstractResource;
 import org.apache.wicket.request.resource.IResource;
 import org.apache.wicket.request.resource.ResourceReference;
@@ -305,6 +308,17 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication {
                 }
             });
         }
+
+        getRequestCycleListeners().add(new IRequestCycleListener() {
+
+            @Override
+            public void onEndRequest(final RequestCycle cycle) {
+                WebResponse response = (WebResponse) cycle.getResponse();
+                response.setHeader("X-XSS-Protection", "1; mode=block");
+                response.setHeader("X-Content-Type-Options", "nosniff");
+                response.setHeader("X-Frame-Options", "sameorigin");
+            }
+        });
     }
 
     @Override
diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
index e59aa76..1e81408 100644
--- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
+++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
@@ -59,6 +59,8 @@ import org.apache.wicket.authroles.authorization.strategies.role.metadata.MetaDa
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener;
 import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
 import org.apache.wicket.request.resource.AbstractResource;
 import org.apache.wicket.request.resource.IResource;
 import org.apache.wicket.request.resource.ResourceReference;
@@ -69,6 +71,7 @@ import org.slf4j.LoggerFactory;
 import org.apache.syncope.client.console.commons.ExternalResourceProvider;
 import org.apache.syncope.client.console.commons.StatusProvider;
 import org.apache.syncope.client.console.commons.VirSchemaDetailsPanelProvider;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -228,6 +231,16 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication {
             getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener());
         }
         getRequestCycleListeners().add(new SyncopeConsoleRequestCycleListener());
+        getRequestCycleListeners().add(new IRequestCycleListener() {
+
+            @Override
+            public void onEndRequest(final RequestCycle cycle) {
+                WebResponse response = (WebResponse) cycle.getResponse();
+                response.setHeader("X-XSS-Protection", "1; mode=block");
+                response.setHeader("X-Content-Type-Options", "nosniff");
+                response.setHeader("X-Frame-Options", "sameorigin");
+            }
+        });
 
         mountPage("/login", getSignInPageClass());