attempt to override a class

geoadmin · Oct 31, 2024 · d940f9b · d940f9b
1 parent 984088f
commit d940f9b
Show file tree

Hide file tree

Showing 4 changed files with 660 additions and 9 deletions.
diff --git a/pom.xml b/pom.xml
@@ -96,8 +96,7 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
         <configuration>
-          <source>1.11</source>
-          <target>1.11</target>
+          <release>11</release>
           <debug>true</debug>
           <encoding>UTF-8</encoding>
           <fork>${fork.javac}</fork>

diff --git a/web/pom.xml b/web/pom.xml
@@ -8,7 +8,7 @@
     <artifactId>geonetwork</artifactId>
     <version>4.4.6-0</version>
   </parent>
-  
+
   <artifactId>web</artifactId>
   <packaging>war</packaging>
 
@@ -17,12 +17,12 @@
     Web application using maven war overlay functionality to reuse
     geonetwork war and hnap schema plugin for ${customer}.
   </description>
- 
+
   <properties>
     <build.webapp.resources>${project.build.directory}/webapp</build.webapp.resources>
     <jetty.env>jetty-env.xml</jetty.env>
   </properties>
- 
+
   <dependencies>
     <!-- war includes prebuilt geonetwork jars -->
     <dependency>
@@ -32,12 +32,21 @@
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
+
+    <!-- used to compile, already included in war -->
+    <dependency>
+      <groupId>org.geonetwork-opensource</groupId>
+      <artifactId>gn-web-app</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+      <classifier>classes</classifier>
+    </dependency>
   </dependencies>
-    
+
   <build>
     <finalName>geonetwork</finalName>
     <plugins>
-      
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-war-plugin</artifactId>
@@ -50,7 +59,7 @@
           </overlays>
         </configuration>
       </plugin>
-      
+
       <plugin>
         <groupId>org.eclipse.jetty</groupId>
         <artifactId>jetty-maven-plugin</artifactId>
@@ -71,7 +80,7 @@
         </dependencies>-->
       </plugin>
     </plugins>
- 
+
   </build>
 
 </project>

diff --git a/web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java b/web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2001-2016 Food and Agriculture Organization of the
+ * United Nations (FAO-UN), United Nations World Food Programme (WFP)
+ * and United Nations Environment Programme (UNEP)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+ * Rome - Italy. email: [email protected]
+ */
+package org.fao.geonet.web;
+
+import org.apache.commons.lang.StringUtils;
+import org.fao.geonet.constants.Geonet;
+import org.fao.geonet.utils.Log;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+/**
+ * Filter to avoid clickjaking attacks.
+ *
+ * See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.
+ *
+ * Modes supported:
+ *  - DENY: prevents any domain from framing the content.
+ *  - SAMEORIGIN, which only allows the current site to frame the content.
+ *  - ALLOW-FROM uri, which permits the specified 'uri' to frame this page.
+ *      Not all browsers support this mode.
+ *
+ * Any other value will default to DENY.
+ *
+ * Sets X-Frame-Options and Content-Security-Policy (for frame-ancestors) headers.
+ *
+ * @author Jose García
+ */
+public class XFrameOptionsFilter implements Filter {
+    private static String MODE_DENY = "DENY";
+    private static String MODE_SAMEORIGIN = "SAMEORIGIN";
+    private static String MODE_ALLOWFROM = "ALLOW-FROM";
+
+    private String mode;
+    private String url;
+    private String domain;
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+        mode = filterConfig.getInitParameter("mode");
+        url = filterConfig.getInitParameter("url");
+
+        // Mode: DENY, SAMEORIGIN, ALLOW-FROM. Any other value will default to SAMEORIGIN
+        if (!mode.equals(MODE_DENY) && !mode.equals(MODE_SAMEORIGIN) && !mode.equals(MODE_ALLOWFROM)) {
+            mode = MODE_DENY;
+        }
+
+        // If ALLOW-FROM, make sure a valid url is given, otherwise fallback to deny
+        if (mode.equals(MODE_ALLOWFROM)) {
+            if (StringUtils.isEmpty(url)) {
+                Log.info(Geonet.GEONETWORK,
+                    "XFrameOptions filter url parameter is missing for mode ALLOW-FROM. Setting mode to DENY.");
+                mode = MODE_DENY;
+            } else {
+                domain = url;
+            }
+        }
+
+        if (Log.isDebugEnabled(Geonet.GEONETWORK)) {
+            Log.debug(Geonet.GEONETWORK, String.format(
+                "XFrameOptions filter initialized. Using mode %s.", getXFrameOptionsValue()));
+        }
+
+    }
+
+
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
+                         FilterChain filterChain) throws IOException, ServletException {
+
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        response.addHeader("X-Frame-Options", getXFrameOptionsValue());
+        response.addHeader("Content-Security-Policy", getContentSecurityPolicyFramAncestorsValue());
+
+        filterChain.doFilter(servletRequest, response);
+    }
+
+
+    public void destroy() {
+    }
+
+
+    /**
+     * Calculates the X-Frame-Options header value.
+     *
+     * @return X-Frame-Options header value.
+     */
+    private String getXFrameOptionsValue() {
+        if (mode.equals(MODE_ALLOWFROM)) {
+            return mode + " " + url;
+        } else {
+            return mode;
+        }
+    }
+
+
+    /**
+     * Calculates the Content-Security-Policy header frame-ancestors value.
+     *
+     * @return Content-Security-Policy header frame-ancestors value.
+     */
+    private String getContentSecurityPolicyFramAncestorsValue() {
+        if (mode.equals(MODE_SAMEORIGIN)) {
+            return "frame-ancestors 'self'";
+        } else if (mode.equals(MODE_ALLOWFROM)) {
+            return "frame-ancestors " + domain;
+        } else {
+            return "frame-ancestors 'none'";
+        }
+    }
+
+}