• Home
• org.apache.myfaces.trinidad
• trinidad-impl
• 2.1.1
• source code
• FrameBustingUtils.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.myfaces.trinidadinternal.util.FrameBustingUtils Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.myfaces.trinidadinternal.util;


import java.util.concurrent.ConcurrentMap;

import javax.faces.context.FacesContext;

import org.apache.myfaces.trinidad.util.ExternalContextUtils;

import org.apache.myfaces.trinidad.context.RequestContext;
import org.apache.myfaces.trinidad.logging.TrinidadLogger;

/**
 * @author Gabrielle Crawford
 */
public class FrameBustingUtils
{

  // This parameter controls the framebusting feature. framebusting stops content from
  //       running inside frames (meaning a frame or iframe tag).
  //
  //       This context parameter is ignored when
  //       org.apache.myfaces.trinidad.util.ExternalContextUtils.isPortlet is true,
  //       and will behave as if the context parameter is set to 'never'.
  //
  //       Possible values are:
  //         differentOrigin - only bust frames if the an ancestor window origin and the
  //                     frame origin are different. If the ancestor windows and frame have
  //                     the same origin then allow the content to run in a frame.
  //                     This is the default.
  //         always - always bust frames, meaning don't allow a page to be embedded in frames
  //         never - never bust frames, meaning always allow a page to be embedded in frames
  static public final String FRAME_BUSTING_PARAM = "org.apache.myfaces.trinidad.security.FRAME_BUSTING";
  
  public static enum FrameBustingParamValue
  {

    FRAME_BUSTING_NEVER("never"),
    FRAME_BUSTING_ALWAYS("always"),
    FRAME_BUSTING_DIFFERENT_ORIGIN("differentOrigin");

    FrameBustingParamValue(String value)
    {
      _value = value;
    }
    
    /**
     * toString returns the vary-type value.
     * @return the vary-type value.
     */
    public String toString()
    {
      return _value;
    }

    public String displayName()
    {
      return _value;
    }
    
    private String _value;
    
    public static FrameBustingParamValue valueOfDisplayName(String displayName) 
    {
      if (FRAME_BUSTING_NEVER.displayName().equalsIgnoreCase(displayName))
        return FRAME_BUSTING_NEVER;
      else if (FRAME_BUSTING_ALWAYS.displayName().equalsIgnoreCase(displayName))
        return FRAME_BUSTING_ALWAYS;
      else  if (FRAME_BUSTING_DIFFERENT_ORIGIN.displayName().equalsIgnoreCase(displayName))        
        return FRAME_BUSTING_DIFFERENT_ORIGIN;
      
      return null;
    }
    
  }
  
  public static FrameBustingParamValue getFrameBustingValue(FacesContext context, RequestContext reqContext)
  {   
    // Act as if the value is never if
    // 1. we're doing ppr, we should only need to bust frames on a full page render
    // 2. if we're in a portal    
    //     Portals have a concept of producers and consumers.
    //     The main page is the consumer, and the portlets inside that page are the producers.
    //     Producer content can only be accessed by trusted consumers.
    //
    //     The consumer page can set the context param as needed,
    //     but the producers will not do framebusting.
    //     In other words when ExternalContextUtils.isPortlet is true we will behave as if
    //     the context param is set to 'never'.
    if ( reqContext.isPartialRequest(context) ||
         ExternalContextUtils.isPortlet(context.getExternalContext()))
    {
      return FrameBustingParamValue.FRAME_BUSTING_NEVER;    
    }    
    
    ConcurrentMap appMap = reqContext.getApplicationScopedConcurrentMap();
    FrameBustingParamValue frameBusting = (FrameBustingParamValue)appMap.get(FRAME_BUSTING_PARAM);
    
    if (frameBusting == null)
    {
      String frameBustingString = context.getExternalContext().getInitParameter(FRAME_BUSTING_PARAM);   
      
      if  (frameBustingString == null)
      {
        frameBusting = FrameBustingParamValue.FRAME_BUSTING_DIFFERENT_ORIGIN;
      }
      else
      {        
        frameBusting = FrameBustingParamValue.valueOfDisplayName(frameBustingString);   
        
        if (frameBusting == null)
        {
          frameBusting = FrameBustingParamValue.FRAME_BUSTING_DIFFERENT_ORIGIN;
        
          // if the context param was set but does not match a known legal value then log a warning
          _LOG.warning("UNKNOWN_FRAME_BUSTING_VALUE");
        }
      }
      
      appMap.put(FRAME_BUSTING_PARAM, frameBusting);
    }

    return frameBusting;
  }  
  
  public static void overrideFrameBustingValue(RequestContext reqContext, FrameBustingParamValue frameBusting)
  {         
    ConcurrentMap appMap = reqContext.getApplicationScopedConcurrentMap();      
    appMap.put(FRAME_BUSTING_PARAM, frameBusting);
  }    


  static private final TrinidadLogger _LOG = 
                             TrinidadLogger.createTrinidadLogger(FrameBustingUtils.class);  
}