https://issues.apache.org/jira/browse/AMQ-6170

Fixing X-Frame-Options header so that is applied for all content served by Jetty. The previous patch wasn't correct because it only applied it to Servlets and JSPs and not static content. This also reverts AMQ-6113
apache · Feb 12, 2016 · 24ad367 · 24ad367
1 parent b595b8b
commit 24ad367
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 72 deletions.
diff --git a/activemq-web-console/src/main/webapp/WEB-INF/web.xml b/activemq-web-console/src/main/webapp/WEB-INF/web.xml
@@ -25,16 +25,6 @@
     Apache ActiveMQ Web Console
   </description>
   <display-name>ActiveMQ Console</display-name>
-
-  <filter>
-    <filter-name>XFrameOptions</filter-name>
-    <filter-class>org.apache.activemq.web.XFrameOptionsFilter</filter-class>
-  </filter>
-
-  <filter-mapping>
-    <filter-name>XFrameOptions</filter-name>
-    <url-pattern>/*</url-pattern>
-  </filter-mapping>
 
   <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
   <!--              Expose Spring POJOs to JSP                   .                                                             -->

diff --git a/activemq-web-demo/src/main/webapp/WEB-INF/web.xml b/activemq-web-demo/src/main/webapp/WEB-INF/web.xml
@@ -30,15 +30,6 @@
     </context-param>
 
 	<!-- filters -->
-    <filter>
-      <filter-name>XFrameOptions</filter-name>
-      <filter-class>org.apache.activemq.web.XFrameOptionsFilter</filter-class>
-    </filter>
-
-    <filter-mapping>
-      <filter-name>XFrameOptions</filter-name>
-      <url-pattern>/*</url-pattern>
-    </filter-mapping>
 	<filter>
 		<filter-name>session</filter-name>
 		<filter-class>org.apache.activemq.web.SessionFilter</filter-class>

diff --git a/activemq-web/src/main/java/org/apache/activemq/web/XFrameOptionsFilter.java b/activemq-web/src/main/java/org/apache/activemq/web/XFrameOptionsFilter.java
diff --git a/assembly/src/release/conf/jetty.xml b/assembly/src/release/conf/jetty.xml
@@ -46,9 +46,22 @@
         <property name="pathSpec" value="*.action" />
     </bean>
 
+    <bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
+        <property name="rules">
+            <list>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-FRAME-OPTIONS"/>
+                  <property name="value" value="SAMEORIGIN"/>
+                </bean>
+            </list>
+        </property>
+    </bean>
+
 	<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
 		<property name="handlers">
 			<list>
+   	            <ref bean="rewriteHandler"/>
 				<bean class="org.eclipse.jetty.webapp.WebAppContext">
 					<property name="contextPath" value="/admin" />
 					<property name="resourceBase" value="${activemq.home}/webapps/admin" />

diff --git a/assembly/src/release/examples/conf/jetty-demo.xml b/assembly/src/release/examples/conf/jetty-demo.xml
@@ -46,9 +46,22 @@
         <property name="pathSpec" value="*.action" />
     </bean>
 
+    <bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
+        <property name="rules">
+            <list>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-FRAME-OPTIONS"/>
+                  <property name="value" value="SAMEORIGIN"/>
+                </bean>
+            </list>
+        </property>
+    </bean>
+
 	<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
 		<property name="handlers">
 			<list>
+                <ref bean="rewriteHandler"/>
 				<bean class="org.eclipse.jetty.webapp.WebAppContext">
 					<property name="contextPath" value="/admin" />
 					<property name="resourceBase" value="${activemq.home}/webapps/admin" />