XFrameFilter is global

f0c47f5b · Piotr Gawron · 752c6c71 · f0c47f5b · f0c47f5b
Commit f0c47f5b authored 5 years ago by Piotr Gawron
--- a/web/src/main/java/lcsb/mapviewer/web/config/WebAppInitializer.java
+++ b/web/src/main/java/lcsb/mapviewer/web/config/WebAppInitializer.java
@@ -13,6 +13,7 @@ import lcsb.mapviewer.api.SpringRestApiConfig;
 import lcsb.mapviewer.common.Configuration;
 import lcsb.mapviewer.persist.SpringPersistConfig;
 import lcsb.mapviewer.services.SpringServiceConfig;
+import lcsb.mapviewer.web.bean.utils.XFrameFilter;

 public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

@@ -38,6 +39,10 @@ public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServlet
    return new String[] { "/", "/api/*" };
  }

+  @Override
+  protected Filter[] getServletFilters() {
+      return new Filter[]{new XFrameFilter()};
+  }
  @Override
  public void onStartup(ServletContext container) throws ServletException {
    assert container.setInitParameter("com.sun.faces.enableMissingResourceLibraryDetection", "true");

--- a/web/src/test/java/lcsb/mapviewer/web/SpringSecurityGeneralIntegrationTest.java
+++ b/web/src/test/java/lcsb/mapviewer/web/SpringSecurityGeneralIntegrationTest.java
@@ -149,10 +149,10 @@ public class SpringSecurityGeneralIntegrationTest extends ControllerIntegrationT

  @Test
  public void testXFrameFilter() throws Exception {
-    configurationService.setConfigurationValue(ConfigurationElementType.X_FRAME_DOMAIN, "minerva.uni.lu");
-    RequestBuilder request = get("/");
+    configurationService.setConfigurationValue(ConfigurationElementType.X_FRAME_DOMAIN, "https://minerva.uni.lu");
+    RequestBuilder request = get("/asd");
    MockHttpServletResponse response = mockMvc.perform(request)
-        .andExpect(status().is2xxSuccessful())
+        .andExpect(status().is4xxClientError())
        .andReturn().getResponse();
    assertTrue(response.getHeaderNames().contains("Content-Security-Policy"));
  }
@@ -160,9 +160,9 @@ public class SpringSecurityGeneralIntegrationTest extends ControllerIntegrationT
  @Test
  public void testXFrameFilterDisabled() throws Exception {
    configurationService.setConfigurationValue(ConfigurationElementType.X_FRAME_DOMAIN, "");
-    RequestBuilder request = get("/");
+    RequestBuilder request = get("/asd");
    MockHttpServletResponse response = mockMvc.perform(request)
-        .andExpect(status().is2xxSuccessful())
+        .andExpect(status().is4xxClientError())
        .andReturn().getResponse();
    assertFalse(response.getHeaderNames().contains("Content-Security-Policy"));
  }