Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properties dtd/site-conf.xsd src/org/ofbiz/webapp/control/ConfigXMLReader.java src/org/ofbiz/webapp/control/RequestHandler.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properties dtd/site-conf.xsd src/org/ofbiz/webapp/control/ConfigXMLReader.java src/org/ofbiz/webapp/control/RequestHandler.java

Michael Brohl-3
Hi Jacques,

how can I configure a view so that no x-frame-options header is set?

While it is great to have these security options and also have a secure
default, there are cases where you might want to switch this header
settings off.

Thanks and regards,

Michael


Am 12.12.15 um 12:37 schrieb [hidden email]:

> Author: jleroux
> Date: Sat Dec 12 11:37:56 2015
> New Revision: 1719660
>
> URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
> Log:
> 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766
>
> Here are X-Frame-Options and Strict-Transport-Security, just a start...
>
> Modified:
>      ofbiz/trunk/framework/webapp/config/requestHandler.properties
>      ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
>      ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
>      ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>
> Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
> +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015
> @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
>   status-code=302
>  
>   # -- Default Content-Disposition type
> -#-- attachment might be replaced by inline if you prefer to offer this option to your users.
> +#   attachment might be replaced by inline if you prefer to offer this option to your users.
>   #   attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
> -content-disposition-type=attachment
> \ No newline at end of file
> +content-disposition-type=attachment
> +
> +# -- Should we use strict-transport-security? True by default.
> +#    Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
> +#strict-transport-security=false
> \ No newline at end of file
>
> Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
> +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
> @@ -774,5 +774,38 @@ under the License.
>                   </xs:restriction>
>               </xs:simpleType>
>           </xs:attribute>
> +        <xs:attribute name="x-frame-option" default="sameorigin">
> +            <xs:annotation>
> +                <xs:documentation>
> +                    Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
> +                    Possible values are:
> +                    deny - no rendering within a frame,
> +                    sameorigin - no rendering if origin mismatch, and
> +                    allow-from: - allow rendering if framing page is within the specified URI domain.
> +                    Allow from is supported by IE and Firefox, but not Chrome or Safari.
> +                    It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
> +                </xs:documentation>
> +            </xs:annotation>
> +            <xs:simpleType>
> +                <xs:restriction base="xs:token">
> +                    <xs:enumeration value="deny"/>
> +                    <xs:enumeration value="sameorigin"/>
> +                    <xs:enumeration value="allow-from"/>
> +                </xs:restriction>
> +            </xs:simpleType>
> +        </xs:attribute>
> +        <xs:attribute type="xs:string" name="strict-transport-security">
> +            <xs:annotation>
> +                <xs:documentation>
> +                    HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
> +                    This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks.
> +                    HSTS also disables the ability for users to ignore SSL negotiation warnings.
> +                    If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
> +                    it shows an error message and do not allow the user to access the web application.
> +                    As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
> +                    If the strict-transport-security is "none" then it will not be used.
> +                </xs:documentation>
> +            </xs:annotation>
> +        </xs:attribute>
>       </xs:attributeGroup>
>   </xs:schema>
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015
> @@ -622,6 +622,8 @@ public class ConfigXMLReader {
>           public String info;
>           public String contentType;
>           public String encoding;
> +        public String xFrameOption;
> +        public String strictTransportSecurity;
>           public String description;
>           public boolean noCache = false;
>  
> @@ -633,6 +635,8 @@ public class ConfigXMLReader {
>               this.contentType = viewMapElement.getAttribute("content-type");
>               this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
>               this.encoding = viewMapElement.getAttribute("encoding");
> +            this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
> +            this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");
>               this.description = UtilXml.childElementValue(viewMapElement, "description");
>               if (UtilValidate.isEmpty(this.page)) {
>                   this.page = this.name;
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015
> @@ -128,7 +128,7 @@ public class RequestHandler {
>       public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
>               GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
>  
> -     final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
> +        final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
>                   "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
>           long startTime = System.currentTimeMillis();
>           HttpSession session = request.getSession();
> @@ -694,7 +694,7 @@ public class RequestHandler {
>                       viewName = nextRequestResponse.value;
>                   }
>                   if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) {
> -                 viewName = nextRequestResponse.value;
> +                    viewName = nextRequestResponse.value;
>                   }
>                   if (urlParams != null) {
>                       for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) {
> @@ -984,6 +984,26 @@ public class RequestHandler {
>              UtilHttp.setResponseBrowserProxyNoCache(resp);
>              if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
>           }
> +
> +        String xFrameOption = viewMap.xFrameOption;
> +        // default to sameorigin
> +        if (UtilValidate.isNotEmpty(xFrameOption)) {
> +            resp.addHeader("x-frame-options", xFrameOption);
> +        } else {
> +            resp.addHeader("x-frame-options", "sameorigin");
> +        }
> +
> +        String strictTransportSecurity = viewMap.strictTransportSecurity;
> +        // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
> +        if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
> +            if (!"none".equals(strictTransportSecurity)) {
> +                resp.addHeader("strict-transport-security", strictTransportSecurity);
> +            }
> +        } else {
> +            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument
> +                resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
> +            }
> +        }
>  
>           try {
>               if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
> @@ -1024,7 +1044,7 @@ public class RequestHandler {
>        */
>       @Deprecated
>       public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) {
> -     Delegator delegator = (Delegator) request.getAttribute("delegator");
> +        Delegator delegator = (Delegator) request.getAttribute("delegator");
>           String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator);
>           String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator);
>           String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);
>
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properties dtd/site-conf.xsd src/org/ofbiz/webapp/control/ConfigXMLReader.java src/org/ofbiz/webapp/control/RequestHandler.java

Jacques Le Roux
Administrator
Hi Michael,

Just saw this message, the Jira and your patch, +1 for the whole

Thanks

Jacques


Le 24/10/2017 à 20:04, Michael Brohl a écrit :

> Hi Jacques,
>
> how can I configure a view so that no x-frame-options header is set?
>
> While it is great to have these security options and also have a secure default, there are cases where you might want to switch this header settings
> off.
>
> Thanks and regards,
>
> Michael
>
>
> Am 12.12.15 um 12:37 schrieb [hidden email]:
>> Author: jleroux
>> Date: Sat Dec 12 11:37:56 2015
>> New Revision: 1719660
>>
>> URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
>> Log:
>> 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766
>>
>> Here are X-Frame-Options and Strict-Transport-Security, just a start...
>>
>> Modified:
>> ofbiz/trunk/framework/webapp/config/requestHandler.properties
>>      ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>>
>> Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
>> +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015
>> @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
>>   status-code=302
>>     # -- Default Content-Disposition type
>> -#-- attachment might be replaced by inline if you prefer to offer this option to your users.
>> +#   attachment might be replaced by inline if you prefer to offer this option to your users.
>>   #   attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
>> -content-disposition-type=attachment
>> \ No newline at end of file
>> +content-disposition-type=attachment
>> +
>> +# -- Should we use strict-transport-security? True by default.
>> +#    Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
>> +#strict-transport-security=false
>> \ No newline at end of file
>>
>> Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
>> +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
>> @@ -774,5 +774,38 @@ under the License.
>>                   </xs:restriction>
>>               </xs:simpleType>
>>           </xs:attribute>
>> +        <xs:attribute name="x-frame-option" default="sameorigin">
>> +            <xs:annotation>
>> +                <xs:documentation>
>> +                    Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
>> +                    Possible values are:
>> +                    deny - no rendering within a frame,
>> +                    sameorigin - no rendering if origin mismatch, and
>> +                    allow-from: - allow rendering if framing page is within the specified URI domain.
>> +                    Allow from is supported by IE and Firefox, but not Chrome or Safari.
>> +                    It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
>> +                </xs:documentation>
>> +            </xs:annotation>
>> +            <xs:simpleType>
>> +                <xs:restriction base="xs:token">
>> +                    <xs:enumeration value="deny"/>
>> +                    <xs:enumeration value="sameorigin"/>
>> +                    <xs:enumeration value="allow-from"/>
>> +                </xs:restriction>
>> +            </xs:simpleType>
>> +        </xs:attribute>
>> +        <xs:attribute type="xs:string" name="strict-transport-security">
>> +            <xs:annotation>
>> +                <xs:documentation>
>> +                    HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
>> +                    This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against
>> Man-in-the-middle attacks.
>> +                    HSTS also disables the ability for users to ignore SSL negotiation warnings.
>> +                    If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
>> +                    it shows an error message and do not allow the user to access the web application.
>> +                    As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
>> +                    If the strict-transport-security is "none" then it will not be used.
>> +                </xs:documentation>
>> +            </xs:annotation>
>> +        </xs:attribute>
>>       </xs:attributeGroup>
>>   </xs:schema>
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015
>> @@ -622,6 +622,8 @@ public class ConfigXMLReader {
>>           public String info;
>>           public String contentType;
>>           public String encoding;
>> +        public String xFrameOption;
>> +        public String strictTransportSecurity;
>>           public String description;
>>           public boolean noCache = false;
>>   @@ -633,6 +635,8 @@ public class ConfigXMLReader {
>>               this.contentType = viewMapElement.getAttribute("content-type");
>>               this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
>>               this.encoding = viewMapElement.getAttribute("encoding");
>> +            this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
>> +            this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");
>>               this.description = UtilXml.childElementValue(viewMapElement, "description");
>>               if (UtilValidate.isEmpty(this.page)) {
>>                   this.page = this.name;
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015
>> @@ -128,7 +128,7 @@ public class RequestHandler {
>>       public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
>>               GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
>>   -        final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
>> +        final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
>>                   "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
>>           long startTime = System.currentTimeMillis();
>>           HttpSession session = request.getSession();
>> @@ -694,7 +694,7 @@ public class RequestHandler {
>>                       viewName = nextRequestResponse.value;
>>                   }
>>                   if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) {
>> -                    viewName = nextRequestResponse.value;
>> +                    viewName = nextRequestResponse.value;
>>                   }
>>                   if (urlParams != null) {
>>                       for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) {
>> @@ -984,6 +984,26 @@ public class RequestHandler {
>>              UtilHttp.setResponseBrowserProxyNoCache(resp);
>>              if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
>>           }
>> +
>> +        String xFrameOption = viewMap.xFrameOption;
>> +        // default to sameorigin
>> +        if (UtilValidate.isNotEmpty(xFrameOption)) {
>> +            resp.addHeader("x-frame-options", xFrameOption);
>> +        } else {
>> +            resp.addHeader("x-frame-options", "sameorigin");
>> +        }
>> +
>> +        String strictTransportSecurity = viewMap.strictTransportSecurity;
>> +        // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
>> +        if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
>> +            if (!"none".equals(strictTransportSecurity)) {
>> +                resp.addHeader("strict-transport-security", strictTransportSecurity);
>> +            }
>> +        } else {
>> +            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass
>> req.getAttribute("delegator") as last argument
>> +                resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
>> +            }
>> +        }
>>             try {
>>               if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
>> @@ -1024,7 +1044,7 @@ public class RequestHandler {
>>        */
>>       @Deprecated
>>       public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) {
>> -        Delegator delegator = (Delegator) request.getAttribute("delegator");
>> +        Delegator delegator = (Delegator) request.getAttribute("delegator");
>>           String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator);
>>           String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator);
>>           String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);
>>
>>
>
>