svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properties dtd/site-conf.xsd src/org/ofbiz/webapp/control/ConfigXMLReader.java src/org/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Sat Dec 12 11:37:56 2015
New Revision: 1719660

URL: http://svn.apache.org/viewvc?rev=1719660&view=rev
Log:
1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766

Here are X-Frame-Options and Strict-Transport-Security, just a start...

Modified:
    ofbiz/trunk/framework/webapp/config/requestHandler.properties
    ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
+++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015
@@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc
 status-code=302
 
 # -- Default Content-Disposition type
-#-- attachment might be replaced by inline if you prefer to offer this option to your users.
+#   attachment might be replaced by inline if you prefer to offer this option to your users.
 #   attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
-content-disposition-type=attachment
\ No newline at end of file
+content-disposition-type=attachment
+
+# -- Should we use strict-transport-security? True by default.
+#    Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
+#strict-transport-security=false
\ No newline at end of file

Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
+++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015
@@ -774,5 +774,38 @@ under the License.
                 </xs:restriction>
             </xs:simpleType>
         </xs:attribute>
+        <xs:attribute name="x-frame-option" default="sameorigin">
+            <xs:annotation>
+                <xs:documentation>
+                    Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
+                    Possible values are:
+                    deny - no rendering within a frame,
+                    sameorigin - no rendering if origin mismatch, and
+                    allow-from: - allow rendering if framing page is within the specified URI domain.
+                    Allow from is supported by IE and Firefox, but not Chrome or Safari.
+                    It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
+                </xs:documentation>
+            </xs:annotation>
+            <xs:simpleType>
+                <xs:restriction base="xs:token">
+                    <xs:enumeration value="deny"/>
+                    <xs:enumeration value="sameorigin"/>
+                    <xs:enumeration value="allow-from"/>
+                </xs:restriction>
+            </xs:simpleType>
+        </xs:attribute>
+        <xs:attribute type="xs:string" name="strict-transport-security">
+            <xs:annotation>
+                <xs:documentation>
+                    HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
+                    This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks.
+                    HSTS also disables the ability for users to ignore SSL negotiation warnings.
+                    If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
+                    it shows an error message and do not allow the user to access the web application.
+                    As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
+                    If the strict-transport-security is "none" then it will not be used.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:attributeGroup>
 </xs:schema>

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015
@@ -622,6 +622,8 @@ public class ConfigXMLReader {
         public String info;
         public String contentType;
         public String encoding;
+        public String xFrameOption;
+        public String strictTransportSecurity;
         public String description;
         public boolean noCache = false;
 
@@ -633,6 +635,8 @@ public class ConfigXMLReader {
             this.contentType = viewMapElement.getAttribute("content-type");
             this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
             this.encoding = viewMapElement.getAttribute("encoding");
+            this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
+            this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");
             this.description = UtilXml.childElementValue(viewMapElement, "description");
             if (UtilValidate.isEmpty(this.page)) {
                 this.page = this.name;

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015
@@ -128,7 +128,7 @@ public class RequestHandler {
     public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain,
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
-     final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
+        final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
                 "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
         long startTime = System.currentTimeMillis();
         HttpSession session = request.getSession();
@@ -694,7 +694,7 @@ public class RequestHandler {
                     viewName = nextRequestResponse.value;
                 }
                 if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) {
-                 viewName = nextRequestResponse.value;
+                    viewName = nextRequestResponse.value;
                 }
                 if (urlParams != null) {
                     for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) {
@@ -984,6 +984,26 @@ public class RequestHandler {
            UtilHttp.setResponseBrowserProxyNoCache(resp);
            if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
         }
+        
+        String xFrameOption = viewMap.xFrameOption;
+        // default to sameorigin
+        if (UtilValidate.isNotEmpty(xFrameOption)) {
+            resp.addHeader("x-frame-options", xFrameOption);
+        } else {
+            resp.addHeader("x-frame-options", "sameorigin");
+        }
+
+        String strictTransportSecurity = viewMap.strictTransportSecurity;
+        // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
+        if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
+            if (!"none".equals(strictTransportSecurity)) {
+                resp.addHeader("strict-transport-security", strictTransportSecurity);
+            }
+        } else {
+            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument
+                resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
+            }
+        }
 
         try {
             if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
@@ -1024,7 +1044,7 @@ public class RequestHandler {
      */
     @Deprecated
     public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) {
-     Delegator delegator = (Delegator) request.getAttribute("delegator");
+        Delegator delegator = (Delegator) request.getAttribute("delegator");
         String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator);
         String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator);
         String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);