diff options
author | vasraz <vasyl.razinkov@est.tech> | 2022-10-04 18:16:26 +0100 |
---|---|---|
committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2022-10-04 18:54:54 +0000 |
commit | 0899720f168c09d037e577109d7cab665fe1fb91 (patch) | |
tree | c6c210914a6fb029841d28de92cb760cdad6088d /catalog-fe | |
parent | ca487f60c2ca67794b16c0ff0cf5cc6deca556fc (diff) |
Fix bug 'X-Frame-Options not configured: Lack of clickjacking protection'
Add new Filter (ContentSecurityPolicyHeaderFilter)
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Ic8151df64e4b95b3d59b44a5f74dd12210f55e87
Issue-ID: SDC-4192
Diffstat (limited to 'catalog-fe')
4 files changed, 53 insertions, 18 deletions
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb index 819638ac08..73176ed1c3 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_2_setup_configuration.rb @@ -13,6 +13,7 @@ template "catalog-fe-config" do :basic_auth_flag => node['basic_auth']['enabled'], :user_name => node['basic_auth'][:user_name], :user_pass => node['basic_auth'][:user_pass], + :permittedAncestors => "#{ENV['permittedAncestors']}", :dcae_fe_vip => node['DCAE_FE_VIP'] }) end diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb index 8dc3c51df3..1b10845aaa 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-configuration.yaml.erb @@ -124,3 +124,6 @@ healthStatusExclude: - PORTAL - CATALOG_FACADE_MS - External API + +#Space separated list of permitted ancestors +permittedAncestors: <%= @permittedAncestors %> diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java new file mode 100644 index 0000000000..a49f625e54 --- /dev/null +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/ContentSecurityPolicyHeaderFilter.java @@ -0,0 +1,40 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.fe.filters; + +import org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilterAbstract; +import org.openecomp.sdc.fe.config.Configuration; +import org.openecomp.sdc.fe.config.ConfigurationManager; + +public class ContentSecurityPolicyHeaderFilter extends ContentSecurityPolicyHeaderFilterAbstract { + + @Override + protected String getPermittedAncestors() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + return configuration.getPermittedAncestors(); + } + } + return ""; + } +} diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml index de133ac8ec..895dfd8690 100644 --- a/catalog-fe/src/main/webapp/WEB-INF/web.xml +++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml @@ -47,8 +47,6 @@ <load-on-startup>1</load-on-startup> <async-supported>true</async-supported> - - </servlet> <servlet-mapping> @@ -72,6 +70,15 @@ <param-value>false</param-value> </context-param> + <filter> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <filter-class>org.openecomp.sdc.fe.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <async-supported>true</async-supported> + </filter> + <filter-mapping> + <filter-name>contentSecurityPolicyHeaderFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter> <filter-name>AuditLogServletFilter</filter-name> @@ -79,17 +86,6 @@ <async-supported>true</async-supported> </filter> - <!-- <filter>--> - <!-- <filter-name>SecurityFilter</filter-name>--> - <!-- <filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>--> - <!-- <async-supported>true</async-supported>--> - <!-- <init-param>--> - <!-- <param-name>excludedUrls</param-name>--> - <!-- <!– Comma separated list of excluded servlet URLs –>--> - <!-- <param-value>/config,/configmgr,/rest</param-value>--> - <!-- </init-param>--> - <!-- </filter>--> - <filter> <filter-name>gzipFilter</filter-name> <filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class> @@ -101,11 +97,6 @@ <url-pattern>/*</url-pattern> </filter-mapping> - <!-- <filter-mapping>--> - <!-- <filter-name>SecurityFilter</filter-name>--> - <!-- <url-pattern>/*</url-pattern>--> - <!-- </filter-mapping>--> - <filter-mapping> <filter-name>gzipFilter</filter-name> <url-pattern>*.jsgz</url-pattern> |