Example Implementation of Clickjacking Framing Protection in a Servlet
Clickjacking framing protection protects embedded applications from framing attacks. This code implements the required methods.
package com.sap.test;
import java.io.IOException;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.sap.tc.clickjacking.protection.ClickJackingProtectionConfiguration;
import com.sap.tc.clickjacking.protection.ClickJackingProtectionLocal;
public class EJBServlet extends HttpServlet {
private final String CLICKJACKING_PROTECTION_BEAN_LOOKUP_SCHEME = "ejb:/appName=sap.com/tc~lm~itsam~service~clickjacking,beanName=ClickJackingProtection,interfaceName=com.sap.tc.clickjacking.protection.ClickJackingProtectionLocal";
private ClickJackingProtectionLocal clickJackingProtectionBean;
public void init() throws ServletException {
try {
lookupClickJackingProtectionEJB();
} catch (NamingException ne){
}
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//Reads a URL parameter to decide between custom protection or default protection
String protectionType = request.getParameter("protection");
//Check to verify if the service is enable or not
Boolean flag = clickJackingProtectionBean.isClickjackingProtectionEnabled();
//Using Default Protection bean method
String defaultProtection = clickJackingProtectionBean.getDefaultProtection(request);
//Object creation for the access of configurable parameters for customer protection
ClickJackingProtectionConfiguration configEJBContentData = clickJackingProtectionBean.getDefaultConfigParams(request);
//Using configuration methods to set parameters for the custom protection
configEJBContentData.setProtectionCallBack("OwnProtectionCallBack");
configEJBContentData.setWhiteList("sap.com,sap.corp");
configEJBContentData.setStyleId("MyOwnStyleID");
configEJBContentData.setReleaseTimeoutMessage("Parent system is not reachable within the defined time");
//Using Custom Protection bean method
String customProtection = clickJackingProtectionBean.getCustomProtection(request, configEJBContentData);
//String object to create the HTML page with the custom tag
StringBuilder sbj = new StringBuilder();
sbj.append("<html>").append('\n');
sbj.append("<head>").append('\n');
sbj.append("<title>Clickjacking Protection</title>").append('\n');
//checks if the service is enable before embedding the protection content into the page
if(flag){
if(protectionType.equalsIgnoreCase("Custom")){
sbj.append(customProtection).append('\n');
}
else if(protectionType.equalsIgnoreCase("Default")){
sbj.append(defaultProtection).append('\n');
}
}
sbj.append("</head>").append('\n');
sbj.append("<body>").append('\n');
sbj.append("<h2>Sample HTML Page</h2>").append('\n');
if(flag && (protectionType.equalsIgnoreCase("Custom"))){
sbj.append("<p>HTML page with custom protection tag</p>").append('\n');
}else if(flag && (protectionType.equalsIgnoreCase("Default"))){
sbj.append("<p>HTML page with default protection tag</p>").append('\n');
}else{
sbj.append("<p>HTML page without protection tag</p>").append('\n');
}
if(flag){
sbj.append("<p>Central service is switched ON</p>").append('\n');
}else{
sbj.append("<p>Central service is switched OFF</p>").append('\n');
}
sbj.append("</body>").append('\n');
sbj.append("</html>").append('\n');
response.setContentType("text/html");
response.getWriter().println(sbj.toString());
response.getWriter().flush();
}
private void lookupClickJackingProtectionEJB() throws NamingException {
Context ctx = new InitialContext();
clickJackingProtectionBean = (ClickJackingProtectionLocal) ctx.lookup(CLICKJACKING_PROTECTION_BEAN_LOOKUP_SCHEME);
ctx.close();
}
}