From e242aeff3e7882965630cadd5813fce053ccf9ae Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Thu, 1 Aug 2013 10:19:36 -0500
Subject: [PATCH] SEC-2230: Polish and clickjacking demo

---
 docs/manual/src/docbook/appendix-namespace.xml    |  4 ++--
 .../src/main/webapp/WEB-INF/contacts-servlet.xml  | 15 +++++++++++----
 .../src/main/webapp/WEB-INF/jsp/frames.jsp        | 10 ++++++++++
 .../src/main/webapp/WEB-INF/jsp/hello.jsp         |  1 +
 4 files changed, 24 insertions(+), 6 deletions(-)
 create mode 100644 samples/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp

diff --git a/docs/manual/src/docbook/appendix-namespace.xml b/docs/manual/src/docbook/appendix-namespace.xml
index a5a2492c36..6804e0b43b 100644
--- a/docs/manual/src/docbook/appendix-namespace.xml
+++ b/docs/manual/src/docbook/appendix-namespace.xml
@@ -348,8 +348,8 @@
         </section>
         <section xml:id="nsa-frame-options">
             <title><literal>&lt;frame-options&gt;</literal></title>
-            <para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01">X-Frame-Options header</link> to the response, this allows newer browsers to do some security
-                 checks and prevent clickjacking attacks.</para>
+            <para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options header</link> to the response, this allows newer browsers to do some security
+                 checks and prevent <link xlink:href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking</link> attacks.</para>
             <section xml:id="nsa-frame-options-attributes">
                 <title><literal>&lt;frame-options&gt;</literal> Attributes</title>
                 <section xml:id="nsa-frame-options-policy">
diff --git a/samples/contacts/src/main/webapp/WEB-INF/contacts-servlet.xml b/samples/contacts/src/main/webapp/WEB-INF/contacts-servlet.xml
index 936f16d246..ab318cc88f 100644
--- a/samples/contacts/src/main/webapp/WEB-INF/contacts-servlet.xml
+++ b/samples/contacts/src/main/webapp/WEB-INF/contacts-servlet.xml
@@ -1,13 +1,20 @@
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
-        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:mvc="http://www.springframework.org/schema/mvc"
+    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
 
     <!-- ========================== WEB DEFINITIONS ======================= -->
 
     <context:component-scan base-package="sample.contact"/>
     <context:annotation-config />
 
+    <mvc:annotation-driven/>
+    <mvc:view-controller path="/frames.htm" view-name="/frames"/>
+
     <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
         <property name="basename" value="messages"/>
     </bean>
diff --git a/samples/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp b/samples/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp
new file mode 100644
index 0000000000..96e928967d
--- /dev/null
+++ b/samples/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp
@@ -0,0 +1,10 @@
+<html>
+<head>
+<title>Frames</title>
+</head>
+<body>
+<p>This contains frames, but the frames will not be loaded due to the <a href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options</a>
+being specified as denied. This protects against <a href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking attacks</a></p>
+<iframe src="./hello.htm" width="500" height="500"></iframe>
+</body>
+</html>
\ No newline at end of file
diff --git a/samples/contacts/src/main/webapp/WEB-INF/jsp/hello.jsp b/samples/contacts/src/main/webapp/WEB-INF/jsp/hello.jsp
index 02758ef0b8..8713e0af0c 100644
--- a/samples/contacts/src/main/webapp/WEB-INF/jsp/hello.jsp
+++ b/samples/contacts/src/main/webapp/WEB-INF/jsp/hello.jsp
@@ -47,5 +47,6 @@ here's a random <code>Contact</code>:
 <p>Get started by clicking "Manage"...
 <p><A HREF="<c:url value="secure/index.htm"/>">Manage</a>
 <a href="<c:url value="secure/debug.jsp"/>">Debug</a>
+<a href="<c:url value="./frames.htm"/>">Frames</a>
 </body>
 </html>