https://issues.apache.org/jira/browse/AMQ-6113

Properly set the X-FRAME-OPTIONS header on web responses.

activemq-web-console/src/main/webapp/WEB-INF/web.xml

@@ -25,6 +25,16 @@
     Apache ActiveMQ Web Console
   </description>
   <display-name>ActiveMQ Console</display-name>
+  
+  <filter>
+    <filter-name>XFrameOptions</filter-name>
+    <filter-class>org.apache.activemq.web.XFrameOptionsFilter</filter-class>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>XFrameOptions</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
 
   <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
   <!--              Expose Spring POJOs to JSP                   .                                                             -->

activemq-web-demo/src/main/webapp/WEB-INF/web.xml

@@ -30,6 +30,15 @@
     </context-param>
 
 	<!-- filters -->
+    <filter>
+      <filter-name>XFrameOptions</filter-name>
+      <filter-class>org.apache.activemq.web.XFrameOptionsFilter</filter-class>
+    </filter>
+  
+    <filter-mapping>
+      <filter-name>XFrameOptions</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
 	<filter>
 		<filter-name>session</filter-name>
 		<filter-class>org.apache.activemq.web.SessionFilter</filter-class>

activemq-web/src/main/java/org/apache/activemq/web/XFrameOptionsFilter.java

@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Filter to set the header X-FRAME-OPTIONS on web responses
+ *
+ */
+public class XFrameOptionsFilter implements Filter {
+
+    private static String SAMEORIGIN = "SAMEORIGIN";
+
+    @Override
+    public void init(FilterConfig config) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletResponse servletResponse = (HttpServletResponse)response;
+        //Set all responses to SAMEORIGIN, can be switched to be configurable later if
+        //we need to conditionally set this
+        servletResponse.addHeader("X-FRAME-OPTIONS", SAMEORIGIN);
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void destroy() {
+    }
+}