[jira] [Work logged] (KNOX-3124) Add Generic Security Header Filter to WebAppSec Provider

Mon, 14 Apr 2025 06:59:48 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3124?focusedWorklogId=966040&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-966040
 ]

ASF GitHub Bot logged work on KNOX-3124:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Apr/25 13:50
            Start Date: 14/Apr/25 13:50
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1021:
URL: https://github.com/apache/knox/pull/1021#discussion_r2042168938


##########
gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/SecurityHeaderFilter.java:
##########
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class SecurityHeaderFilter implements Filter {
+
+  private Map<String, String> map = new HashMap<>();

Review Comment:
   A better class member name would be more helpful.



##########
gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/SecurityHeaderFilter.java:
##########
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class SecurityHeaderFilter implements Filter {
+
+  private Map<String, String> map = new HashMap<>();
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    // Dynamically add headers based on init parameters
+    Enumeration<String> initParamNames = filterConfig.getInitParameterNames();
+    while (initParamNames.hasMoreElements()) {
+      String headerName = initParamNames.nextElement();
+      if (!"enabled".equals(headerName)) {

Review Comment:
   You may want to create another constant for `enabled` in 
WebAppSeciContributor and re-use it here.



##########
gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java:
##########
@@ -55,6 +55,10 @@ public class WebAppSecContributor extends 
ProviderDeploymentContributorBase {
   private static final String RATE_LIMITING_PREFIX = "rate.limiting";
   private static final String RATE_LIMITING_SUFFIX = "_RATE.LIMITING";
   private static final String RATE_LIMITING_ENABLED = RATE_LIMITING_PREFIX + 
".enabled";
+  private static final String SECURITY_HEADER_PREFIX = "security.header";

Review Comment:
   I think the prefix should be `"security.header."` (note the `.` at the end). 



##########
gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/SecurityHeaderFilter.java:
##########
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class SecurityHeaderFilter implements Filter {
+
+  private Map<String, String> map = new HashMap<>();
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    // Dynamically add headers based on init parameters
+    Enumeration<String> initParamNames = filterConfig.getInitParameterNames();
+    while (initParamNames.hasMoreElements()) {
+      String headerName = initParamNames.nextElement();
+      if (!"enabled".equals(headerName)) {
+        String headerValue = filterConfig.getInitParameter(headerName);
+        map.put(headerName, headerValue);
+      }
+    }
+  }
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain)
+          throws IOException, ServletException {
+
+    HttpServletResponse httpResponse = new 
SecurityHeaderResponseWrapper((HttpServletResponse) response);
+
+    // Dynamically add headers based on init parameters
+    for (Map.Entry<String, String> entry : map.entrySet()) {
+      String headerName = entry.getKey();
+      String headerValue = entry.getValue();
+      httpResponse.setHeader(headerName, headerValue);
+    }
+
+    // Continue the filter chain
+    chain.doFilter(request, httpResponse);
+  }
+
+  @Override
+  public void destroy() {
+    // Cleanup logic if needed
+  }
+
+  class SecurityHeaderResponseWrapper extends HttpServletResponseWrapper {
+
+    SecurityHeaderResponseWrapper(HttpServletResponse res) {
+      super(res);
+    }
+
+    @Override
+    public void addHeader(String name, String value) {
+      if (!"enabled".equals(name)) {

Review Comment:
   See my recommendation above of using a constant here.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 966040)
    Time Spent: 20m  (was: 10m)

> Add Generic Security Header Filter to WebAppSec Provider
> --------------------------------------------------------
>
>                 Key: KNOX-3124
>                 URL: https://issues.apache.org/jira/browse/KNOX-3124
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.2.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> In order to add various security headers to a response, we can add a generic 
> filter for which init params with the param name and value indicating the 
> header name and string representing the directives for the header 
> respectively.
> This will allow admins to configure things like Content-Security-Policy, 
> Cache-Control, etc. without the need to add separate filters for each one.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to