knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pzamp...@apache.org
Subject [1/4] knox git commit: KNOX-1211 - Admin UI XSS/XSRF Protection
Date Fri, 16 Mar 2018 20:28:36 GMT
Repository: knox
Updated Branches:
  refs/heads/master 76df40b95 -> 2a8d86617


http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
----------------------------------------------------------------------
diff --git a/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
b/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
index 8830115..221e907 100644
--- a/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
+++ b/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
@@ -105,6 +105,9 @@ class RESTInvoker {
                     org.apache.commons.codec.binary.Base64.encodeBase64String((username +
":" + password).getBytes());
             request.addHeader(new BasicHeader("Authorization", "Basic " + encodedCreds));
 
+            // Ambari CSRF protection
+            request.addHeader("X-Requested-By", "Knox");
+
             response = httpClient.execute(request);
 
             if (HttpStatus.SC_OK == response.getStatusLine().getStatusCode()) {

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
index 71a5af9..eed8ec3 100644
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
@@ -42,8 +42,11 @@ public class WebAppSecContributor extends
   private static final String XFRAME_OPTIONS_SUFFIX = "_XFRAMEOPTIONS";
   private static final String XFRAME_OPTIONS_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter";
   private static final String XFRAME_OPTIONS_ENABLED = "xframe.options.enabled";
+  private static final String XSS_PROTECTION_SUFFIX = "_XSSPROTECTION";
+  private static final String XSS_PROTECTION_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.XSSProtectionFilter";
+  private static final String XSS_PROTECTION_ENABLED = "xss.protection.enabled";
   private static final String STRICT_TRANSPORT_SUFFIX = "_STRICTTRANSPORT";
-  private static final String STRICT_TRANSPORT_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.StrictTranportFilter";
+  private static final String STRICT_TRANSPORT_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.StrictTransportFilter";
   private static final String STRICT_TRANSPORT_ENABLED = "strict.transport.enabled";
 
 
@@ -97,6 +100,14 @@ public class WebAppSecContributor extends
         resource.addFilter().name( getName() + XFRAME_OPTIONS_SUFFIX ).role( getRole() ).impl(
XFRAME_OPTIONS_FILTER_CLASSNAME ).params( params );
       }
 
+      // X-XSS-Protection - browser xss protection
+      params = new ArrayList<FilterParamDescriptor>();
+      String xssProtectionEnabled = map.get(XSS_PROTECTION_ENABLED);
+      if ( xssProtectionEnabled != null && "true".equals(xssProtectionEnabled)) {
+        provisionConfig(resource, providerParams, params, "xss.");
+        resource.addFilter().name( getName() + XSS_PROTECTION_SUFFIX ).role( getRole() ).impl(
XSS_PROTECTION_FILTER_CLASSNAME ).params( params );
+      }
+
       // HTTP Strict-Transport-Security
       params = new ArrayList<FilterParamDescriptor>();
       String strictTranportEnabled = map.get(STRICT_TRANSPORT_ENABLED);

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
deleted file mode 100644
index 0856297..0000000
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.webappsec.filter;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
-
-/**
- * This filter protects proxied webapps from protocol downgrade attacks 
- * and cookie hijacking.
- */
-public class StrictTranportFilter implements Filter {
-  private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
-  private static final String CUSTOM_HEADER_PARAM = "strict.transport";
-
-  private String option = "max-age=31536000";
-
-  /* (non-Javadoc)
-   * @see javax.servlet.Filter#destroy()
-   */
-  @Override
-  public void destroy() {
-  }
-
-  /* (non-Javadoc)
-   * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
-   */
-  @Override
-  public void doFilter(ServletRequest req, ServletResponse res,
-      FilterChain chain) throws IOException, ServletException {
-    ((HttpServletResponse) res).setHeader(STRICT_TRANSPORT, option);
-    chain.doFilter(req, new StrictTranportResponseWrapper((HttpServletResponse) res));
-  }
-
-  /* (non-Javadoc)
-   * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-   */
-  @Override
-  public void init(FilterConfig config) throws ServletException {
-    String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
-    if (customOption != null) {
-      option = customOption;
-    }
-  }
-
-  public class StrictTranportResponseWrapper extends HttpServletResponseWrapper {
-    @Override
-    public void addHeader(String name, String value) {
-      // don't allow additional values to be added to
-      // the configured options value in topology
-      if (!name.equals(STRICT_TRANSPORT)) {
-        super.addHeader(name, value);
-      }
-    }
-
-    @Override
-    public void setHeader(String name, String value) {
-      // don't allow overwriting of configured value
-      if (!name.equals(STRICT_TRANSPORT)) {
-        super.setHeader(name, value);
-      }
-    }
-
-    /**
-     * construct a wrapper for this request
-     * 
-     * @param request
-     */
-    public StrictTranportResponseWrapper(HttpServletResponse response) {
-        super(response);
-    }
-
-    @Override
-    public String getHeader(String name) {
-        String headerValue = null;
-        if (name.equals(STRICT_TRANSPORT)) {
-            headerValue = option;
-        }
-        else {
-          headerValue = super.getHeader(name);
-        }
-        return headerValue;
-    }
-
-    /**
-     * get the Header names
-     */
-    @Override
-    public Collection<String> getHeaderNames() {
-        List<String> names = (List<String>) super.getHeaderNames();
-        if (names == null) {
-          names = new ArrayList<String>();
-        }
-        names.add(STRICT_TRANSPORT);
-        return names;
-    }
-
-    @Override
-    public Collection<String> getHeaders(String name) {
-        List<String> values = (List<String>) super.getHeaders(name);
-        if (name.equals(STRICT_TRANSPORT)) {
-          if (values == null) {
-            values = new ArrayList<String>();
-          }
-          values.add(option);
-        }
-        return values;
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
new file mode 100644
index 0000000..91b6122
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
@@ -0,0 +1,137 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+/**
+ * This filter protects proxied webapps from protocol downgrade attacks 
+ * and cookie hijacking.
+ */
+public class StrictTransportFilter implements Filter {
+  private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
+  private static final String CUSTOM_HEADER_PARAM = "strict.transport";
+
+  private String option = "max-age=31536000";
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#destroy()
+   */
+  @Override
+  public void destroy() {
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
+   */
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse res,
+      FilterChain chain) throws IOException, ServletException {
+    ((HttpServletResponse) res).setHeader(STRICT_TRANSPORT, option);
+    chain.doFilter(req, new StrictTransportResponseWrapper((HttpServletResponse) res));
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+   */
+  @Override
+  public void init(FilterConfig config) throws ServletException {
+    String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customOption != null) {
+      option = customOption;
+    }
+  }
+
+  public class StrictTransportResponseWrapper extends HttpServletResponseWrapper {
+    @Override
+    public void addHeader(String name, String value) {
+      // don't allow additional values to be added to
+      // the configured options value in topology
+      if (!name.equals(STRICT_TRANSPORT)) {
+        super.addHeader(name, value);
+      }
+    }
+
+    @Override
+    public void setHeader(String name, String value) {
+      // don't allow overwriting of configured value
+      if (!name.equals(STRICT_TRANSPORT)) {
+        super.setHeader(name, value);
+      }
+    }
+
+    /**
+     * construct a wrapper for this response
+     * 
+     * @param response
+     */
+    public StrictTransportResponseWrapper(HttpServletResponse response) {
+        super(response);
+    }
+
+    @Override
+    public String getHeader(String name) {
+        String headerValue = null;
+        if (name.equals(STRICT_TRANSPORT)) {
+            headerValue = option;
+        }
+        else {
+          headerValue = super.getHeader(name);
+        }
+        return headerValue;
+    }
+
+    /**
+     * get the Header names
+     */
+    @Override
+    public Collection<String> getHeaderNames() {
+        List<String> names = (List<String>) super.getHeaderNames();
+        if (names == null) {
+          names = new ArrayList<String>();
+        }
+        names.add(STRICT_TRANSPORT);
+        return names;
+    }
+
+    @Override
+    public Collection<String> getHeaders(String name) {
+        List<String> values = (List<String>) super.getHeaders(name);
+        if (name.equals(STRICT_TRANSPORT)) {
+          if (values == null) {
+            values = new ArrayList<String>();
+          }
+          values.add(option);
+        }
+        return values;
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
index 3c67764..e980a2e 100644
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
@@ -88,9 +88,9 @@ public class XFrameOptionsFilter implements Filter {
     }
 
     /**
-     * construct a wrapper for this request
+     * construct a wrapper for this response
      * 
-     * @param request
+     * @param response
      */
     public XFrameOptionsResponseWrapper(HttpServletResponse response) {
         super(response);

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
new file mode 100644
index 0000000..d3515ed
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class XSSProtectionFilter implements Filter {
+
+  public static final String X_XSS_PROTECTION    = "X-XSS-Protection";
+  public static final String CUSTOM_HEADER_PARAM = "xss.protection";
+
+  public static final String DEFAULT_VALUE = "1;mode=block";
+
+
+  private String option = DEFAULT_VALUE;
+
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+   */
+  @Override
+  public void init(FilterConfig config) throws ServletException {
+    String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customOption != null) {
+      option = customOption;
+    }
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
+   */
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws
IOException, ServletException {
+    ((HttpServletResponse) res).setHeader(X_XSS_PROTECTION, option);
+    chain.doFilter(req, new XSSProtectionResponseWrapper((HttpServletResponse) res));
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#destroy()
+   */
+  @Override
+  public void destroy() {
+  }
+
+
+  class XSSProtectionResponseWrapper extends HttpServletResponseWrapper {
+
+    XSSProtectionResponseWrapper(HttpServletResponse res) {
+      super(res);
+    }
+
+    @Override
+    public void addHeader(String name, String value) {
+      // don't allow additional values to be added to
+      // the configured options value in topology
+      if (!name.equals(X_XSS_PROTECTION)) {
+        super.addHeader(name, value);
+      }
+    }
+
+    @Override
+    public void setHeader(String name, String value) {
+      // don't allow overwriting of configured value
+      if (!name.equals(X_XSS_PROTECTION)) {
+        super.setHeader(name, value);
+      }
+    }
+
+    @Override
+    public String getHeader(String name) {
+      String headerValue = null;
+      if (name.equals(X_XSS_PROTECTION)) {
+        headerValue = option;
+      }
+      else {
+        headerValue = super.getHeader(name);
+      }
+      return headerValue;
+    }
+
+    /**
+     * get the Header names
+     */
+    @Override
+    public Collection<String> getHeaderNames() {
+      List<String> names = (List<String>) super.getHeaderNames();
+      if (names == null) {
+        names = new ArrayList();
+      }
+      names.add(X_XSS_PROTECTION);
+      return names;
+    }
+
+    @Override
+    public Collection<String> getHeaders(String name) {
+      List<String> values = (List<String>) super.getHeaders(name);
+      if (name.equals(X_XSS_PROTECTION)) {
+        if (values == null) {
+          values = new ArrayList();
+        }
+        values.add(option);
+      }
+      return values;
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
deleted file mode 100644
index fa0b5b6..0000000
--- a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
+++ /dev/null
@@ -1,164 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.webappsec;
-
-import static org.junit.Assert.fail;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Enumeration;
-import java.util.Properties;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.knox.gateway.webappsec.filter.StrictTranportFilter;
-import org.easymock.EasyMock;
-import org.junit.Assert;
-import org.junit.Test;
-
-/**
- *
- */
-public class StrictTranportFilterTest {
-  /**
-   * 
-   */
-  private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
-  String options = null;
-  Collection<String> headerNames = null;
-  Collection<String> headers = null;
-
-  @Test
-  public void testDefaultOptionsValue() throws Exception {
-    try {
-      StrictTranportFilter filter = new StrictTranportFilter();
-      Properties props = new Properties();
-      props.put("strict.transport.enabled", "true");
-      filter.init(new TestFilterConfig(props));
-
-      HttpServletRequest request = EasyMock.createNiceMock(
-          HttpServletRequest.class);
-      HttpServletResponse response = EasyMock.createNiceMock(
-          HttpServletResponse.class);
-      EasyMock.replay(request);
-      EasyMock.replay(response);
-
-      TestFilterChain chain = new TestFilterChain();
-      filter.doFilter(request, response, chain);
-      Assert.assertTrue("doFilterCalled should not be false.",
-          chain.doFilterCalled );
-      Assert.assertTrue("Options value incorrect should be max-age=31536000 but is: "
-          + options, "max-age=31536000".equals(options));
-
-      Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
-    } catch (ServletException se) {
-      fail("Should NOT have thrown a ServletException.");
-    }
-  }
-
-  @Test
-  public void testConfiguredOptionsValue() throws Exception {
-    try {
-      StrictTranportFilter filter = new StrictTranportFilter();
-      Properties props = new Properties();
-      props.put("strict.transport.enabled", "true");
-      props.put("strict.transport", "max-age=31536010; includeSubDomains");
-      filter.init(new TestFilterConfig(props));
-
-      HttpServletRequest request = EasyMock.createNiceMock(
-          HttpServletRequest.class);
-      HttpServletResponse response = EasyMock.createNiceMock(
-          HttpServletResponse.class);
-      EasyMock.replay(request);
-      EasyMock.replay(response);
-
-      TestFilterChain chain = new TestFilterChain();
-      filter.doFilter(request, response, chain);
-      Assert.assertTrue("doFilterCalled should not be false.",
-          chain.doFilterCalled );
-      Assert.assertTrue("Options value incorrect should be max-age=31536010; includeSubDomains
but is: "
-          + options, "max-age=31536010; includeSubDomains".equals(options));
-
-      Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
-    } catch (ServletException se) {
-      fail("Should NOT have thrown a ServletException.");
-    }
-  }
-
-  class TestFilterConfig implements FilterConfig {
-    Properties props = null;
-
-    public TestFilterConfig(Properties props) {
-      this.props = props;
-    }
-
-    @Override
-    public String getFilterName() {
-      return null;
-    }
-
-    /* (non-Javadoc)
-     * @see javax.servlet.FilterConfig#getServletContext()
-     */
-    @Override
-    public ServletContext getServletContext() {
-      return null;
-    }
-
-    /* (non-Javadoc)
-     * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
-     */
-    @Override
-    public String getInitParameter(String name) {
-      return props.getProperty(name, null);
-    }
-
-    /* (non-Javadoc)
-     * @see javax.servlet.FilterConfig#getInitParameterNames()
-     */
-    @Override
-    public Enumeration<String> getInitParameterNames() {
-      return null;
-    }
-    
-  }
-
-  class TestFilterChain implements FilterChain {
-    boolean doFilterCalled = false;
-
-    /* (non-Javadoc)
-     * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
-     */
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response)
-        throws IOException, ServletException {
-      doFilterCalled = true;
-      options = ((HttpServletResponse)response).getHeader(STRICT_TRANSPORT);
-      headerNames = ((HttpServletResponse)response).getHeaderNames();
-      headers = ((HttpServletResponse)response).getHeaders(STRICT_TRANSPORT);
-    }
-    
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
new file mode 100644
index 0000000..59af5e1
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec;
+
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Properties;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.webappsec.filter.StrictTransportFilter;
+import org.easymock.EasyMock;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class StrictTransportFilterTest {
+  /**
+   * 
+   */
+  private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
+  String options = null;
+  Collection<String> headerNames = null;
+  Collection<String> headers = null;
+
+  @Test
+  public void testDefaultOptionsValue() throws Exception {
+    try {
+      StrictTransportFilter filter = new StrictTransportFilter();
+      Properties props = new Properties();
+      props.put("strict.transport.enabled", "true");
+      filter.init(new TestFilterConfig(props));
+
+      HttpServletRequest request = EasyMock.createNiceMock(
+          HttpServletRequest.class);
+      HttpServletResponse response = EasyMock.createNiceMock(
+          HttpServletResponse.class);
+      EasyMock.replay(request);
+      EasyMock.replay(response);
+
+      TestFilterChain chain = new TestFilterChain();
+      filter.doFilter(request, response, chain);
+      Assert.assertTrue("doFilterCalled should not be false.",
+          chain.doFilterCalled );
+      Assert.assertTrue("Options value incorrect should be max-age=31536000 but is: "
+          + options, "max-age=31536000".equals(options));
+
+      Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
+    } catch (ServletException se) {
+      fail("Should NOT have thrown a ServletException.");
+    }
+  }
+
+  @Test
+  public void testConfiguredOptionsValue() throws Exception {
+    try {
+      StrictTransportFilter filter = new StrictTransportFilter();
+      Properties props = new Properties();
+      props.put("strict.transport.enabled", "true");
+      props.put("strict.transport", "max-age=31536010; includeSubDomains");
+      filter.init(new TestFilterConfig(props));
+
+      HttpServletRequest request = EasyMock.createNiceMock(
+          HttpServletRequest.class);
+      HttpServletResponse response = EasyMock.createNiceMock(
+          HttpServletResponse.class);
+      EasyMock.replay(request);
+      EasyMock.replay(response);
+
+      TestFilterChain chain = new TestFilterChain();
+      filter.doFilter(request, response, chain);
+      Assert.assertTrue("doFilterCalled should not be false.",
+          chain.doFilterCalled );
+      Assert.assertTrue("Options value incorrect should be max-age=31536010; includeSubDomains
but is: "
+          + options, "max-age=31536010; includeSubDomains".equals(options));
+
+      Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
+    } catch (ServletException se) {
+      fail("Should NOT have thrown a ServletException.");
+    }
+  }
+
+  class TestFilterConfig implements FilterConfig {
+    Properties props = null;
+
+    public TestFilterConfig(Properties props) {
+      this.props = props;
+    }
+
+    @Override
+    public String getFilterName() {
+      return null;
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getServletContext()
+     */
+    @Override
+    public ServletContext getServletContext() {
+      return null;
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
+     */
+    @Override
+    public String getInitParameter(String name) {
+      return props.getProperty(name, null);
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getInitParameterNames()
+     */
+    @Override
+    public Enumeration<String> getInitParameterNames() {
+      return null;
+    }
+    
+  }
+
+  class TestFilterChain implements FilterChain {
+    boolean doFilterCalled = false;
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response)
+        throws IOException, ServletException {
+      doFilterCalled = true;
+      options = ((HttpServletResponse)response).getHeader(STRICT_TRANSPORT);
+      headerNames = ((HttpServletResponse)response).getHeaderNames();
+      headers = ((HttpServletResponse)response).getHeaders(STRICT_TRANSPORT);
+    }
+    
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
new file mode 100644
index 0000000..e6bc3de
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.webappsec;
+
+import org.apache.knox.gateway.webappsec.filter.XSSProtectionFilter;
+import org.easymock.EasyMock;
+import org.junit.Assert;
+import org.junit.Test;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Properties;
+
+import static org.junit.Assert.fail;
+
+public class XSSProtectionFilterTest {
+
+  private String options = null;
+  private Collection<String> headers = null;
+
+  @Test
+  public void testDefaultOptionsValue() throws Exception {
+    try {
+      final String expectedDefaultValue = XSSProtectionFilter.DEFAULT_VALUE;
+
+      XSSProtectionFilter filter = new XSSProtectionFilter();
+      Properties props = new Properties();
+      props.put("xss.protection.enabled", "true");
+      filter.init(new TestFilterConfig(props));
+
+      HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+      HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+      EasyMock.replay(request);
+      EasyMock.replay(response);
+
+      TestFilterChain chain = new TestFilterChain();
+      filter.doFilter(request, response, chain);
+      Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled );
+      Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " value incorrect.", expectedDefaultValue,
options);
+      Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " count incorrect.", 1,
headers.size());
+    } catch (ServletException se) {
+      fail("Should NOT have thrown a ServletException.");
+    }
+  }
+
+  @Test
+  public void testConfiguredOptionsValue() throws Exception {
+    try {
+      final String customOption = "1;report=http://example.com/report_URI";
+
+      XSSProtectionFilter filter = new XSSProtectionFilter();
+      Properties props = new Properties();
+      props.put("xss.protection.enabled", "true");
+      props.put("xss.protection", customOption);
+      filter.init(new TestFilterConfig(props));
+
+      HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+      HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+      EasyMock.replay(request);
+      EasyMock.replay(response);
+
+      TestFilterChain chain = new TestFilterChain();
+      filter.doFilter(request, response, chain);
+      Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled );
+      Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " value incorrect", customOption,
options);
+      Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " count incorrect.", 1,
headers.size());
+    } catch (ServletException se) {
+      fail("Should NOT have thrown a ServletException.");
+    }
+  }
+
+  private static class TestFilterConfig implements FilterConfig {
+    Properties props = null;
+
+    public TestFilterConfig(Properties props) {
+      this.props = props;
+    }
+
+    @Override
+    public String getFilterName() {
+      return null;
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getServletContext()
+     */
+    @Override
+    public ServletContext getServletContext() {
+      return null;
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
+     */
+    @Override
+    public String getInitParameter(String name) {
+      return props.getProperty(name, null);
+    }
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterConfig#getInitParameterNames()
+     */
+    @Override
+    public Enumeration<String> getInitParameterNames() {
+      return null;
+    }
+
+  }
+
+  class TestFilterChain implements FilterChain {
+    boolean doFilterCalled = false;
+
+    /* (non-Javadoc)
+     * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response) throws IOException,
ServletException {
+      doFilterCalled = true;
+      options = ((HttpServletResponse)response).getHeader(XSSProtectionFilter.X_XSS_PROTECTION);
+      headers = ((HttpServletResponse)response).getHeaders(XSSProtectionFilter.X_XSS_PROTECTION);
+    }
+
+  }
+
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-release/home/conf/topologies/manager.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/conf/topologies/manager.xml b/gateway-release/home/conf/topologies/manager.xml
index 0c5d975..4fca820 100644
--- a/gateway-release/home/conf/topologies/manager.xml
+++ b/gateway-release/home/conf/topologies/manager.xml
@@ -27,6 +27,7 @@
             <param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param>
             <param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param>
             <param><name>xframe.options.enabled</name><value>true</value></param>
+            <param><name>xss.protection.enabled</name><value>true</value></param>
             <param><name>strict.transport.enabled</name><value>true</value></param>
         </provider>
 


Mime
View raw message