SEC-2230: Polish and clickjacking demo

docs/manual/src/docbook/appendix-namespace.xml

@@ -348,8 +348,8 @@
         </section>
         <section xml:id="nsa-frame-options">
             <title><literal>&lt;frame-options&gt;</literal></title>
-            <para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01">X-Frame-Options header</link> to the response, this allows newer browsers to do some security
-                 checks and prevent clickjacking attacks.</para>
+            <para>When enabled adds the <link xlink:href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options header</link> to the response, this allows newer browsers to do some security
+                 checks and prevent <link xlink:href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking</link> attacks.</para>
             <section xml:id="nsa-frame-options-attributes">
                 <title><literal>&lt;frame-options&gt;</literal> Attributes</title>
                 <section xml:id="nsa-frame-options-policy">

samples/contacts/src/main/webapp/WEB-INF/contacts-servlet.xml

@@ -1,13 +1,20 @@
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
-        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:mvc="http://www.springframework.org/schema/mvc"
+    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
+        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
 
     <!-- ========================== WEB DEFINITIONS ======================= -->
 
     <context:component-scan base-package="sample.contact"/>
     <context:annotation-config />
 
+    <mvc:annotation-driven/>
+    <mvc:view-controller path="/frames.htm" view-name="/frames"/>
+
     <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
         <property name="basename" value="messages"/>
     </bean>

samples/contacts/src/main/webapp/WEB-INF/jsp/frames.jsp

@@ -0,0 +1,10 @@
+<html>
+<head>
+<title>Frames</title>
+</head>
+<body>
+<p>This contains frames, but the frames will not be loaded due to the <a href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options</a>
+being specified as denied. This protects against <a href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking attacks</a></p>
+<iframe src="./hello.htm" width="500" height="500"></iframe>
+</body>
+</html>

samples/contacts/src/main/webapp/WEB-INF/jsp/hello.jsp

@@ -47,5 +47,6 @@ here's a random <code>Contact</code>:
 <p>Get started by clicking "Manage"...
 <p><A HREF="<c:url value="secure/index.htm"/>">Manage</a>
 <a href="<c:url value="secure/debug.jsp"/>">Debug</a>
+<a href="<c:url value="./frames.htm"/>">Frames</a>
 </body>
 </html>