From 901b8810a4d2c237395eced14e467be415218249 Mon Sep 17 00:00:00 2001
From: Julien Lancelot <julien.lancelot@sonarsource.com>
Date: Thu, 10 Nov 2016 12:29:23 +0100
Subject: SONAR-8247 Fix security headers

---
 .../src/main/webapp/WEB-INF/config/environment.rb  | 34 ----------------------
 server/sonar-web/src/main/webapp/WEB-INF/web.xml   |  6 ++--
 2 files changed, 3 insertions(+), 37 deletions(-)

(limited to 'server/sonar-web')

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb b/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb
index cd529e41506..3c375e4607b 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/config/environment.rb
@@ -52,37 +52,6 @@ class EagerPluginLoader < Rails::Plugin::Loader
   end
 end
 
-
-#
-# Put response headers on all HTTP calls. This is done by the Java SecurityServlerFilter,
-# but for some reason Rack swallows the headers set on Java side.
-# See middleware configuration below.
-#
-class SecurityHeaders
-  def initialize(app)
-    @app = app
-  end
-
-  def call(env)
-    status, headers, body = @app.call(env)
-
-    # Clickjacking protection
-    # See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE
-    headers['X-Frame-Options']='SAMEORIGIN'
-
-    # Cross-site scripting
-    # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    headers['X-XSS-Protection']='1; mode=block'
-
-    # MIME-sniffing
-    # See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    headers['X-Content-Type-Options']='nosniff';
-
-    [status, headers, body]
-  end
-end
-
-
 Rails::Initializer.run do |config|
   # Settings in config/environments/* take precedence over those specified here.
   # Application configuration should go into files in config/initializers
@@ -139,9 +108,6 @@ Rails::Initializer.run do |config|
   # Activate observers that should always be running
   # Please note that observers generated using script/generate observer need to have an _observer suffix
   # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
-
-  # Add security related headers
-  config.middleware.use SecurityHeaders
 end
 
 
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/web.xml b/server/sonar-web/src/main/webapp/WEB-INF/web.xml
index ab60f08440a..1a8aa2dc8ad 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/web.xml
+++ b/server/sonar-web/src/main/webapp/WEB-INF/web.xml
@@ -75,15 +75,15 @@
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
-    <filter-name>UserSessionFilter</filter-name>
+    <filter-name>SecurityFilter</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
-    <filter-name>ServletFilters</filter-name>
+    <filter-name>UserSessionFilter</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
-    <filter-name>SecurityFilter</filter-name>
+    <filter-name>ServletFilters</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
-- 
cgit v1.2.3