org.apereo.cas.security

Class ResponseHeadersEnforcementFilter

java.lang.Object

org.apereo.cas.security.AbstractSecurityFilter

org.apereo.cas.security.ResponseHeadersEnforcementFilter

All Implemented Interfaces:

javax.servlet.Filter

public class ResponseHeadersEnforcementFilter
extends AbstractSecurityFilter
implements javax.servlet.Filter

Allows users to easily inject the default security headers to assist in protecting the application. The default for is to include the following headers:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=15768000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 1; mode=block
 

Since:

2.0.4

Author:

Misagh Moayyed

Field Summary

Fields inherited from class org.apereo.cas.security.AbstractSecurityFilter

LOGGER_HANDLER_CLASS_NAME

Constructor Summary

Constructors

Constructor and Description
ResponseHeadersEnforcementFilter()

Method Summary

Modifier and Type	Method and Description
protected void	decideInsertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	decideInsertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	decideInsertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	decideInsertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	decideInsertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	decideInsertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
void	destroy()
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)
void	init(javax.servlet.FilterConfig filterConfig)
protected void	insertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String cacheControlHeader)
protected void	insertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String contentSecurityPolicy)
protected void	insertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String strictTransportSecurityHeader)
protected void	insertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String xContentTypeOptionsHeader)
protected void	insertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String xFrameOptions)
protected void	insertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest)
protected void	insertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse, javax.servlet.http.HttpServletRequest httpServletRequest, String XSSProtection)
void	setContentSecurityPolicy(String contentSecurityPolicy)
void	setEnableCacheControl(boolean enableCacheControl)
void	setEnableStrictTransportSecurity(boolean enableStrictTransportSecurity)
void	setEnableXContentTypeOptions(boolean enableXContentTypeOptions)
void	setEnableXFrameOptions(boolean enableXFrameOptions)
void	setEnableXSSProtection(boolean enableXSSProtection)
void	setLoggerHandlerClassName(String loggerHandlerClassName)
void	setXFrameOptions(String XFrameOptions)
void	setXSSProtection(String XSSProtection)

Methods inherited from class org.apereo.cas.security.AbstractSecurityFilter

getLoggerHandlerClassName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ResponseHeadersEnforcementFilter

public ResponseHeadersEnforcementFilter()

Method Detail

setXSSProtection

public void setXSSProtection(String XSSProtection)

setXFrameOptions

public void setXFrameOptions(String XFrameOptions)

setEnableStrictTransportSecurity

public void setEnableStrictTransportSecurity(boolean enableStrictTransportSecurity)

setEnableCacheControl

public void setEnableCacheControl(boolean enableCacheControl)

setEnableXContentTypeOptions

public void setEnableXContentTypeOptions(boolean enableXContentTypeOptions)

setEnableXFrameOptions

public void setEnableXFrameOptions(boolean enableXFrameOptions)

setEnableXSSProtection

public void setEnableXSSProtection(boolean enableXSSProtection)

setContentSecurityPolicy

public void setContentSecurityPolicy(String contentSecurityPolicy)

setLoggerHandlerClassName

public void setLoggerHandlerClassName(String loggerHandlerClassName)

Overrides:

setLoggerHandlerClassName in class AbstractSecurityFilter

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

IOException

javax.servlet.ServletException

decideInsertContentSecurityPolicyHeader

protected void decideInsertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                       javax.servlet.http.HttpServletRequest httpServletRequest)

insertContentSecurityPolicyHeader

protected void insertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                 javax.servlet.http.HttpServletRequest httpServletRequest)

insertContentSecurityPolicyHeader

protected void insertContentSecurityPolicyHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                 javax.servlet.http.HttpServletRequest httpServletRequest,
                                                 String contentSecurityPolicy)

decideInsertXSSProtectionHeader

protected void decideInsertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest)

insertXSSProtectionHeader

protected void insertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest)

insertXSSProtectionHeader

protected void insertXSSProtectionHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest,
                                         String XSSProtection)

decideInsertXFrameOptionsHeader

protected void decideInsertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest)

insertXFrameOptionsHeader

protected void insertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest)

insertXFrameOptionsHeader

protected void insertXFrameOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                         javax.servlet.http.HttpServletRequest httpServletRequest,
                                         String xFrameOptions)

decideInsertXContentTypeOptionsHeader

protected void decideInsertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                     javax.servlet.http.HttpServletRequest httpServletRequest)

insertXContentTypeOptionsHeader

protected void insertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest)

insertXContentTypeOptionsHeader

protected void insertXContentTypeOptionsHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                               javax.servlet.http.HttpServletRequest httpServletRequest,
                                               String xContentTypeOptionsHeader)

decideInsertCacheControlHeader

protected void decideInsertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                              javax.servlet.http.HttpServletRequest httpServletRequest)

insertCacheControlHeader

protected void insertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                        javax.servlet.http.HttpServletRequest httpServletRequest)

insertCacheControlHeader

protected void insertCacheControlHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                        javax.servlet.http.HttpServletRequest httpServletRequest,
                                        String cacheControlHeader)

decideInsertStrictTransportSecurityHeader

protected void decideInsertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                         javax.servlet.http.HttpServletRequest httpServletRequest)

insertStrictTransportSecurityHeader

protected void insertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   javax.servlet.http.HttpServletRequest httpServletRequest)

insertStrictTransportSecurityHeader

protected void insertStrictTransportSecurityHeader(javax.servlet.http.HttpServletResponse httpServletResponse,
                                                   javax.servlet.http.HttpServletRequest httpServletRequest,
                                                   String strictTransportSecurityHeader)

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter