OF-997 Cover main admin console

Turns out we protected only the PluginServlet, which is only used for Plugins and not the main Admin console itself.

src/java/org/jivesoftware/admin/AuthCheckFilter.java

@@ -37,6 +37,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.WebManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -133,6 +134,8 @@ public class AuthCheckFilter implements Filter {
     {
         HttpServletRequest request = (HttpServletRequest)req;
         HttpServletResponse response = (HttpServletResponse)res;
+        // Do not allow framing; OF-997
+        response.addHeader("X-Frame-Options", JiveGlobals.getProperty("adminConsole.frame-options", "same"));
         // Reset the defaultLoginPage variable
         String loginPage = defaultLoginPage;
         if (loginPage == null) {

src/java/org/jivesoftware/openfire/container/PluginServlet.java

@@ -110,8 +110,6 @@ public class PluginServlet extends HttpServlet {
                 else {
                     handleOtherRequest(pathInfo, response);
                 }
-                // Do not allow framing; OF-997
-                response.addHeader("X-Frame-Options", JiveGlobals.getProperty("adminConsole.frame-options", "deny"));
             }
             catch (Exception e) {
                 Log.error(e.getMessage(), e);