Clickjacking framing protection protects embedded applications from framing attacks. This code implements the required methods.
package com.sap.test; import java.io.IOException; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.sap.tc.clickjacking.protection.ClickJackingProtectionConfiguration; import com.sap.tc.clickjacking.protection.ClickJackingProtectionLocal; public class EJBServlet extends HttpServlet { private final String CLICKJACKING_PROTECTION_BEAN_LOOKUP_SCHEME = "ejb:/appName=sap.com/tc~lm~itsam~service~clickjacking,beanName=ClickJackingProtection,interfaceName=com.sap.tc.clickjacking.protection.ClickJackingProtectionLocal"; private ClickJackingProtectionLocal clickJackingProtectionBean; public void init() throws ServletException { try { lookupClickJackingProtectionEJB(); } catch (NamingException ne){ } } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { //Reads a URL parameter to decide between custom protection or default protection String protectionType = request.getParameter("protection"); //Check to verify if the service is enable or not Boolean flag = clickJackingProtectionBean.isClickjackingProtectionEnabled(); //Using Default Protection bean method String defaultProtection = clickJackingProtectionBean.getDefaultProtection(request); //Object creation for the access of configurable parameters for customer protection ClickJackingProtectionConfiguration configEJBContentData = clickJackingProtectionBean.getDefaultConfigParams(request); //Using configuration methods to set parameters for the custom protection configEJBContentData.setProtectionCallBack("OwnProtectionCallBack"); configEJBContentData.setWhiteList("sap.com,sap.corp"); configEJBContentData.setStyleId("MyOwnStyleID"); configEJBContentData.setReleaseTimeoutMessage("Parent system is not reachable within the defined time"); //Using Custom Protection bean method String customProtection = clickJackingProtectionBean.getCustomProtection(request, configEJBContentData); //String object to create the HTML page with the custom tag StringBuilder sbj = new StringBuilder(); sbj.append("<html>").append('\n'); sbj.append("<head>").append('\n'); sbj.append("<title>Clickjacking Protection</title>").append('\n'); //checks if the service is enable before embedding the protection content into the page if(flag){ if(protectionType.equalsIgnoreCase("Custom")){ sbj.append(customProtection).append('\n'); } else if(protectionType.equalsIgnoreCase("Default")){ sbj.append(defaultProtection).append('\n'); } } sbj.append("</head>").append('\n'); sbj.append("<body>").append('\n'); sbj.append("<h2>Sample HTML Page</h2>").append('\n'); if(flag && (protectionType.equalsIgnoreCase("Custom"))){ sbj.append("<p>HTML page with custom protection tag</p>").append('\n'); }else if(flag && (protectionType.equalsIgnoreCase("Default"))){ sbj.append("<p>HTML page with default protection tag</p>").append('\n'); }else{ sbj.append("<p>HTML page without protection tag</p>").append('\n'); } if(flag){ sbj.append("<p>Central service is switched ON</p>").append('\n'); }else{ sbj.append("<p>Central service is switched OFF</p>").append('\n'); } sbj.append("</body>").append('\n'); sbj.append("</html>").append('\n'); response.setContentType("text/html"); response.getWriter().println(sbj.toString()); response.getWriter().flush(); } private void lookupClickJackingProtectionEJB() throws NamingException { Context ctx = new InitialContext(); clickJackingProtectionBean = (ClickJackingProtectionLocal) ctx.lookup(CLICKJACKING_PROTECTION_BEAN_LOOKUP_SCHEME); ctx.close(); } }