org.owasp.esapi.filters

Class ClickjackFilter

java.lang.Object

org.owasp.esapi.filters.ClickjackFilter

All Implemented Interfaces:

javax.servlet.Filter

public class ClickjackFilter
extends Object
implements javax.servlet.Filter

The ClickjackFilter is discussed at http://www.owasp.org/index.php/ClickjackFilter_for_Java_EE.

     
            ClickjackFilterDeny
            org.owasp.filters.ClickjackFilter
            
                mode
                 DENY
             
         
         
         
             ClickjackFilterSameOrigin
             org.owasp.filters.ClickjackFilter
             
                 mode
                 SAMEORIGIN
             
         
        
        
         
            ClickjackFilterDeny
            /*
        
         
         




Constructor Summary

Constructors

Constructor and Description


ClickjackFilter() 









Method Summary

Methods

Modifier and Type
Method and Description


void
destroy()


void
doFilter(javax.servlet.ServletRequest request,
        javax.servlet.ServletResponse response,
        javax.servlet.FilterChain chain)
Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
 decide to implement) not to display this content in a frame.



void
init(javax.servlet.FilterConfig filterConfig)
Initialize "mode" parameter from web.xml.







Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ClickjackFilter

public ClickjackFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig filterConfig)

Initialize "mode" parameter from web.xml. Valid values are "DENY" and "SAMEORIGIN". If you leave this parameter out, the default is to use the DENY mode.

Specified by:

init in interface javax.servlet.Filter

Parameters:

filterConfig - A filter configuration object used by a servlet container to pass information to a filter during initialization.

doFilter

public void doFilter(javax.servlet.ServletRequest request,
            javax.servlet.ServletResponse response,
            javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who decide to implement) not to display this content in a frame. For details, please refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

request - The request object.

response - The response object.

chain - Refers to the FilterChain object to pass control to the next Filter.

Throws:

IOException

javax.servlet.ServletException

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter