Package org.apereo.cas.web.support.filters

Class ResponseHeadersEnforcementFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    Direct Known Subclasses:
    RegisteredServiceResponseHeadersEnforcementFilter
    public class ResponseHeadersEnforcementFilter
extends AbstractSecurityFilter
implements javax.servlet.Filter
    Allows users to easily inject the default security headers to assist in protecting the application. The default for is to include the following headers: <pre> Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=15768000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block </pre>
    Since:
    6.1.0

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void decideInsertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert cache control header.
      protected void decideInsertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert content security policy header.
      protected void decideInsertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert strict transport security header.
      protected void decideInsertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert x content type options header.
      protected void decideInsertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert x frame options header.
      protected void decideInsertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.util.Optional<java.lang.Object> result)
      Decide insert xss protection header.
      void destroy()  
      void doFilter​(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)  
      void init​(javax.servlet.FilterConfig filterConfig)  
      protected void insertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert cache control header.
      protected void insertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String value)
      Insert cache control header.
      protected void insertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert content security policy header.
      protected void insertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String contentSecurityPolicy)
      Insert content security policy header.
      protected void insertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert strict transport security header.
      protected void insertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String strictTransportSecurityHeader)
      Insert strict transport security header.
      protected void insertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert x content type options header.
      protected void insertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String value)
      Insert x content type options header.
      protected void insertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert x frame options header.
      protected void insertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String value)
      Insert x frame options header.
      protected void insertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Insert xss protection header.
      protected void insertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, java.lang.String value)
      Insert xss protection header.
      protected java.util.Optional<java.lang.Object> prepareFilterBeforeExecution​(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
      Prepare filter before execution and provide optional.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • INIT_PARAM_ENABLE_CACHE_CONTROL

        public static final java.lang.String INIT_PARAM_ENABLE_CACHE_CONTROL
        Enable CACHE_CONTROL.
        See Also:
        Constant Field Values

      • INIT_PARAM_ENABLE_XCONTENT_OPTIONS

        public static final java.lang.String INIT_PARAM_ENABLE_XCONTENT_OPTIONS
        Enable XCONTENT_OPTIONS.
        See Also:
        Constant Field Values

      • INIT_PARAM_ENABLE_STRICT_TRANSPORT_SECURITY

        public static final java.lang.String INIT_PARAM_ENABLE_STRICT_TRANSPORT_SECURITY
        Enable STRICT_TRANSPORT_SECURITY.
        See Also:
        Constant Field Values

      • INIT_PARAM_ENABLE_STRICT_XFRAME_OPTIONS

        public static final java.lang.String INIT_PARAM_ENABLE_STRICT_XFRAME_OPTIONS
        Enable STRICT_XFRAME_OPTIONS.
        See Also:
        Constant Field Values

      • INIT_PARAM_STRICT_XFRAME_OPTIONS

        public static final java.lang.String INIT_PARAM_STRICT_XFRAME_OPTIONS
        The constant INIT_PARAM_STRICT_XFRAME_OPTIONS.
        See Also:
        Constant Field Values

      • INIT_PARAM_ENABLE_XSS_PROTECTION

        public static final java.lang.String INIT_PARAM_ENABLE_XSS_PROTECTION
        Enable XSS_PROTECTION.
        See Also:
        Constant Field Values

      • INIT_PARAM_XSS_PROTECTION

        public static final java.lang.String INIT_PARAM_XSS_PROTECTION
        XSS protection value.
        See Also:
        Constant Field Values

      • INIT_PARAM_CONTENT_SECURITY_POLICY

        public static final java.lang.String INIT_PARAM_CONTENT_SECURITY_POLICY
        Consent security policy.
        See Also:
        Constant Field Values

      • INIT_PARAM_CACHE_CONTROL_STATIC_RESOURCES

        public static final java.lang.String INIT_PARAM_CACHE_CONTROL_STATIC_RESOURCES
        Static resources file extension values.
        See Also:
        Constant Field Values

    • Constructor Detail

      • ResponseHeadersEnforcementFilter

        public ResponseHeadersEnforcementFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
        Specified by:
        init in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • prepareFilterBeforeExecution

        protected java.util.Optional<java.lang.Object> prepareFilterBeforeExecution​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                                            javax.servlet.http.HttpServletRequest httpServletRequest)
        Prepare filter before execution and provide optional.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        Returns:
        the optional

      • decideInsertContentSecurityPolicyHeader

        protected void decideInsertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                       javax.servlet.http.HttpServletRequest httpServletRequest,
                                                       java.util.Optional<java.lang.Object> result)
        Decide insert content security policy header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertContentSecurityPolicyHeader

        protected void insertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                 javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert content security policy header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertContentSecurityPolicyHeader

        protected void insertContentSecurityPolicyHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                 javax.servlet.http.HttpServletRequest httpServletRequest,
                                                 java.lang.String contentSecurityPolicy)
        Insert content security policy header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        contentSecurityPolicy - the content security policy

      • decideInsertXSSProtectionHeader

        protected void decideInsertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest,
                                               java.util.Optional<java.lang.Object> result)
        Decide insert xss protection header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertXSSProtectionHeader

        protected void insertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert xss protection header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertXSSProtectionHeader

        protected void insertXSSProtectionHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest,
                                         java.lang.String value)
        Insert xss protection header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        value - the value

      • decideInsertXFrameOptionsHeader

        protected void decideInsertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest,
                                               java.util.Optional<java.lang.Object> result)
        Decide insert x frame options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertXFrameOptionsHeader

        protected void insertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert x frame options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertXFrameOptionsHeader

        protected void insertXFrameOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest,
                                         java.lang.String value)
        Insert x frame options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        value - the value

      • decideInsertXContentTypeOptionsHeader

        protected void decideInsertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                     javax.servlet.http.HttpServletRequest httpServletRequest,
                                                     java.util.Optional<java.lang.Object> result)
        Decide insert x content type options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertXContentTypeOptionsHeader

        protected void insertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert x content type options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertXContentTypeOptionsHeader

        protected void insertXContentTypeOptionsHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest,
                                               java.lang.String value)
        Insert x content type options header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        value - the value

      • decideInsertCacheControlHeader

        protected void decideInsertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                              javax.servlet.http.HttpServletRequest httpServletRequest,
                                              java.util.Optional<java.lang.Object> result)
        Decide insert cache control header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertCacheControlHeader

        protected void insertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                        javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert cache control header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertCacheControlHeader

        protected void insertCacheControlHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                        javax.servlet.http.HttpServletRequest httpServletRequest,
                                        java.lang.String value)
        Insert cache control header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        value - the value

      • decideInsertStrictTransportSecurityHeader

        protected void decideInsertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                         javax.servlet.http.HttpServletRequest httpServletRequest,
                                                         java.util.Optional<java.lang.Object> result)
        Decide insert strict transport security header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        result - the result

      • insertStrictTransportSecurityHeader

        protected void insertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   javax.servlet.http.HttpServletRequest httpServletRequest)
        Insert strict transport security header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request

      • insertStrictTransportSecurityHeader

        protected void insertStrictTransportSecurityHeader​(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   javax.servlet.http.HttpServletRequest httpServletRequest,
                                                   java.lang.String strictTransportSecurityHeader)
        Insert strict transport security header.
        Parameters:
        httpServletResponse - the http servlet response
        httpServletRequest - the http servlet request
        strictTransportSecurityHeader - the strict transport security header