You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/02/15 12:09:15 UTC
[syncope] branch master updated: Enable security-related HTTP
headers in the console
This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/master by this push:
new c30b884 Enable security-related HTTP headers in the console
c30b884 is described below
commit c30b88435355d51baf43c24f05da72f2868635b3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Feb 14 18:17:43 2019 +0000
Enable security-related HTTP headers in the console
---
.../syncope/client/enduser/SyncopeEnduserApplication.java | 2 +-
.../syncope/client/enduser/SyncopeWebApplication.java | 14 ++++++++++++++
.../syncope/client/console/SyncopeWebApplication.java | 13 +++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
index c96da75..fb13f42 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeEnduserApplication.java
@@ -58,4 +58,4 @@ public class SyncopeEnduserApplication extends SpringBootServletInitializer impl
lookup.load();
return lookup;
}
-}
+}
\ No newline at end of file
diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
index f6ba9ad..b5ed2c2 100644
--- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
+++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/SyncopeWebApplication.java
@@ -49,6 +49,9 @@ import org.apache.wicket.WicketRuntimeException;
import org.apache.wicket.protocol.http.WebApplication;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Response;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
import org.apache.wicket.request.resource.AbstractResource;
import org.apache.wicket.request.resource.IResource;
import org.apache.wicket.request.resource.ResourceReference;
@@ -305,6 +308,17 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication {
}
});
}
+
+ getRequestCycleListeners().add(new IRequestCycleListener() {
+
+ @Override
+ public void onEndRequest(final RequestCycle cycle) {
+ WebResponse response = (WebResponse) cycle.getResponse();
+ response.setHeader("X-XSS-Protection", "1; mode=block");
+ response.setHeader("X-Content-Type-Options", "nosniff");
+ response.setHeader("X-Frame-Options", "sameorigin");
+ }
+ });
}
@Override
diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
index e59aa76..1e81408 100644
--- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
+++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/SyncopeWebApplication.java
@@ -59,6 +59,8 @@ import org.apache.wicket.authroles.authorization.strategies.role.metadata.MetaDa
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener;
import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
import org.apache.wicket.request.resource.AbstractResource;
import org.apache.wicket.request.resource.IResource;
import org.apache.wicket.request.resource.ResourceReference;
@@ -69,6 +71,7 @@ import org.slf4j.LoggerFactory;
import org.apache.syncope.client.console.commons.ExternalResourceProvider;
import org.apache.syncope.client.console.commons.StatusProvider;
import org.apache.syncope.client.console.commons.VirSchemaDetailsPanelProvider;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@@ -228,6 +231,16 @@ public class SyncopeWebApplication extends WicketBootSecuredWebApplication {
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener());
}
getRequestCycleListeners().add(new SyncopeConsoleRequestCycleListener());
+ getRequestCycleListeners().add(new IRequestCycleListener() {
+
+ @Override
+ public void onEndRequest(final RequestCycle cycle) {
+ WebResponse response = (WebResponse) cycle.getResponse();
+ response.setHeader("X-XSS-Protection", "1; mode=block");
+ response.setHeader("X-Content-Type-Options", "nosniff");
+ response.setHeader("X-Frame-Options", "sameorigin");
+ }
+ });
mountPage("/login", getSignInPageClass());