You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Michael Brohl <mi...@ecomify.de> on 2017/10/24 18:04:38 UTC
Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp:
config/requestHandler.properties dtd/site-conf.xsd
src/org/ofbiz/webapp/control/ConfigXMLReader.java
src/org/ofbiz/webapp/control/RequestHandler.java
Hi Jacques,
how can I configure a view so that no x-frame-options header is set?
While it is great to have these security options and also have a secure
default, there are cases where you might want to switch this header
settings off.
Thanks and regards,
Michael
Am 12.12.15 um 12:37 schrieb jleroux@apache.org:
> Author: jleroux
> Date: Sat Dec 12 11:37:56 2015
> New Revision: 1719660
>
> URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
> Log:
> 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766
>
> Here are X-Frame-Options and Strict-Transport-Security, just a start...
>
> Modified:
> ofbiz/trunk/framework/webapp/config/requestHandler.properties
> ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>
> Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
> +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015
> @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
> status-code=302
>
> # -- Default Content-Disposition type
> -#-- attachment might be replaced by inline if you prefer to offer this option to your users.
> +# attachment might be replaced by inline if you prefer to offer this option to your users.
> # attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
> -content-disposition-type=attachment
> \ No newline at end of file
> +content-disposition-type=attachment
> +
> +# -- Should we use strict-transport-security? True by default.
> +# Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
> +#strict-transport-security=false
> \ No newline at end of file
>
> Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
> +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
> @@ -774,5 +774,38 @@ under the License.
> </xs:restriction>
> </xs:simpleType>
> </xs:attribute>
> + <xs:attribute name="x-frame-option" default="sameorigin">
> + <xs:annotation>
> + <xs:documentation>
> + Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
> + Possible values are:
> + deny - no rendering within a frame,
> + sameorigin - no rendering if origin mismatch, and
> + allow-from: - allow rendering if framing page is within the specified URI domain.
> + Allow from is supported by IE and Firefox, but not Chrome or Safari.
> + It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
> + </xs:documentation>
> + </xs:annotation>
> + <xs:simpleType>
> + <xs:restriction base="xs:token">
> + <xs:enumeration value="deny"/>
> + <xs:enumeration value="sameorigin"/>
> + <xs:enumeration value="allow-from"/>
> + </xs:restriction>
> + </xs:simpleType>
> + </xs:attribute>
> + <xs:attribute type="xs:string" name="strict-transport-security">
> + <xs:annotation>
> + <xs:documentation>
> + HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
> + This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks.
> + HSTS also disables the ability for users to ignore SSL negotiation warnings.
> + If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
> + it shows an error message and do not allow the user to access the web application.
> + As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
> + If the strict-transport-security is "none" then it will not be used.
> + </xs:documentation>
> + </xs:annotation>
> + </xs:attribute>
> </xs:attributeGroup>
> </xs:schema>
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015
> @@ -622,6 +622,8 @@ public class ConfigXMLReader {
> public String info;
> public String contentType;
> public String encoding;
> + public String xFrameOption;
> + public String strictTransportSecurity;
> public String description;
> public boolean noCache = false;
>
> @@ -633,6 +635,8 @@ public class ConfigXMLReader {
> this.contentType = viewMapElement.getAttribute("content-type");
> this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
> this.encoding = viewMapElement.getAttribute("encoding");
> + this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
> + this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");
> this.description = UtilXml.childElementValue(viewMapElement, "description");
> if (UtilValidate.isEmpty(this.page)) {
> this.page = this.name;
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015
> @@ -128,7 +128,7 @@ public class RequestHandler {
> public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
> GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
>
> - final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
> + final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
> "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
> long startTime = System.currentTimeMillis();
> HttpSession session = request.getSession();
> @@ -694,7 +694,7 @@ public class RequestHandler {
> viewName = nextRequestResponse.value;
> }
> if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) {
> - viewName = nextRequestResponse.value;
> + viewName = nextRequestResponse.value;
> }
> if (urlParams != null) {
> for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) {
> @@ -984,6 +984,26 @@ public class RequestHandler {
> UtilHttp.setResponseBrowserProxyNoCache(resp);
> if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
> }
> +
> + String xFrameOption = viewMap.xFrameOption;
> + // default to sameorigin
> + if (UtilValidate.isNotEmpty(xFrameOption)) {
> + resp.addHeader("x-frame-options", xFrameOption);
> + } else {
> + resp.addHeader("x-frame-options", "sameorigin");
> + }
> +
> + String strictTransportSecurity = viewMap.strictTransportSecurity;
> + // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
> + if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
> + if (!"none".equals(strictTransportSecurity)) {
> + resp.addHeader("strict-transport-security", strictTransportSecurity);
> + }
> + } else {
> + if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument
> + resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
> + }
> + }
>
> try {
> if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
> @@ -1024,7 +1044,7 @@ public class RequestHandler {
> */
> @Deprecated
> public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) {
> - Delegator delegator = (Delegator) request.getAttribute("delegator");
> + Delegator delegator = (Delegator) request.getAttribute("delegator");
> String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator);
> String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator);
> String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);
>
>
Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp:
config/requestHandler.properties dtd/site-conf.xsd
src/org/ofbiz/webapp/control/ConfigXMLReader.java
src/org/ofbiz/webapp/control/RequestHandler.java
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Michael,
Just saw this message, the Jira and your patch, +1 for the whole
Thanks
Jacques
Le 24/10/2017 à 20:04, Michael Brohl a écrit :
> Hi Jacques,
>
> how can I configure a view so that no x-frame-options header is set?
>
> While it is great to have these security options and also have a secure default, there are cases where you might want to switch this header settings
> off.
>
> Thanks and regards,
>
> Michael
>
>
> Am 12.12.15 um 12:37 schrieb jleroux@apache.org:
>> Author: jleroux
>> Date: Sat Dec 12 11:37:56 2015
>> New Revision: 1719660
>>
>> URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
>> Log:
>> 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766
>>
>> Here are X-Frame-Options and Strict-Transport-Security, just a start...
>>
>> Modified:
>> ofbiz/trunk/framework/webapp/config/requestHandler.properties
>> ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>>
>> Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
>> +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015
>> @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
>> status-code=302
>> # -- Default Content-Disposition type
>> -#-- attachment might be replaced by inline if you prefer to offer this option to your users.
>> +# attachment might be replaced by inline if you prefer to offer this option to your users.
>> # attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
>> -content-disposition-type=attachment
>> \ No newline at end of file
>> +content-disposition-type=attachment
>> +
>> +# -- Should we use strict-transport-security? True by default.
>> +# Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
>> +#strict-transport-security=false
>> \ No newline at end of file
>>
>> Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
>> +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
>> @@ -774,5 +774,38 @@ under the License.
>> </xs:restriction>
>> </xs:simpleType>
>> </xs:attribute>
>> + <xs:attribute name="x-frame-option" default="sameorigin">
>> + <xs:annotation>
>> + <xs:documentation>
>> + Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
>> + Possible values are:
>> + deny - no rendering within a frame,
>> + sameorigin - no rendering if origin mismatch, and
>> + allow-from: - allow rendering if framing page is within the specified URI domain.
>> + Allow from is supported by IE and Firefox, but not Chrome or Safari.
>> + It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
>> + </xs:documentation>
>> + </xs:annotation>
>> + <xs:simpleType>
>> + <xs:restriction base="xs:token">
>> + <xs:enumeration value="deny"/>
>> + <xs:enumeration value="sameorigin"/>
>> + <xs:enumeration value="allow-from"/>
>> + </xs:restriction>
>> + </xs:simpleType>
>> + </xs:attribute>
>> + <xs:attribute type="xs:string" name="strict-transport-security">
>> + <xs:annotation>
>> + <xs:documentation>
>> + HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
>> + This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against
>> Man-in-the-middle attacks.
>> + HSTS also disables the ability for users to ignore SSL negotiation warnings.
>> + If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
>> + it shows an error message and do not allow the user to access the web application.
>> + As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
>> + If the strict-transport-security is "none" then it will not be used.
>> + </xs:documentation>
>> + </xs:annotation>
>> + </xs:attribute>
>> </xs:attributeGroup>
>> </xs:schema>
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015
>> @@ -622,6 +622,8 @@ public class ConfigXMLReader {
>> public String info;
>> public String contentType;
>> public String encoding;
>> + public String xFrameOption;
>> + public String strictTransportSecurity;
>> public String description;
>> public boolean noCache = false;
>> @@ -633,6 +635,8 @@ public class ConfigXMLReader {
>> this.contentType = viewMapElement.getAttribute("content-type");
>> this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
>> this.encoding = viewMapElement.getAttribute("encoding");
>> + this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
>> + this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");
>> this.description = UtilXml.childElementValue(viewMapElement, "description");
>> if (UtilValidate.isEmpty(this.page)) {
>> this.page = this.name;
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015
>> @@ -128,7 +128,7 @@ public class RequestHandler {
>> public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
>> GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
>> - final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
>> + final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
>> "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
>> long startTime = System.currentTimeMillis();
>> HttpSession session = request.getSession();
>> @@ -694,7 +694,7 @@ public class RequestHandler {
>> viewName = nextRequestResponse.value;
>> }
>> if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) {
>> - viewName = nextRequestResponse.value;
>> + viewName = nextRequestResponse.value;
>> }
>> if (urlParams != null) {
>> for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) {
>> @@ -984,6 +984,26 @@ public class RequestHandler {
>> UtilHttp.setResponseBrowserProxyNoCache(resp);
>> if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
>> }
>> +
>> + String xFrameOption = viewMap.xFrameOption;
>> + // default to sameorigin
>> + if (UtilValidate.isNotEmpty(xFrameOption)) {
>> + resp.addHeader("x-frame-options", xFrameOption);
>> + } else {
>> + resp.addHeader("x-frame-options", "sameorigin");
>> + }
>> +
>> + String strictTransportSecurity = viewMap.strictTransportSecurity;
>> + // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
>> + if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
>> + if (!"none".equals(strictTransportSecurity)) {
>> + resp.addHeader("strict-transport-security", strictTransportSecurity);
>> + }
>> + } else {
>> + if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass
>> req.getAttribute("delegator") as last argument
>> + resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
>> + }
>> + }
>> try {
>> if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
>> @@ -1024,7 +1044,7 @@ public class RequestHandler {
>> */
>> @Deprecated
>> public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) {
>> - Delegator delegator = (Delegator) request.getAttribute("delegator");
>> + Delegator delegator = (Delegator) request.getAttribute("delegator");
>> String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator);
>> String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator);
>> String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);
>>
>>
>
>