Talk:Clickjacking Protection for Java EE

From OWASP
Jump to: navigation, search

I have implemented this in tomcat 5.5.31 but I didn't get it to work. First I got an error that the java version was wrong. So I recompiled the class using the same sdk version I use for the tomcat. This removed the error messages and everything looks dandy. Problem is that the sites are still "framable" in both Internet Explorer 8 and Firefox 5. Clearly I'm doing something wrong but I can't just seem to figure out what.

Is there a way to check if the headers are being sent out as suppossed to, or any other test to check what I'm doing wrong?


The issue is with the sample provided in the zip file. The wiki page shows the method as:

   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
       HttpServletResponse res = (HttpServletResponse)response;
       res.addHeader("X-FRAME-OPTIONS", mode );			
       chain.doFilter(request, response);
   }

You will need to make sure that the source code in the zip file has the chain.doFilter AFTER the res.addHeader method. However in the current sample the filtering is done BEFORE the header was added and thus it does not work.