Repository: knox
Updated Branches:
refs/heads/master 76df40b95 -> 2a8d86617
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
----------------------------------------------------------------------
diff --git a/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
b/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
index 8830115..221e907 100644
--- a/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
+++ b/gateway-discovery-ambari/src/main/java/org/apache/knox/gateway/topology/discovery/ambari/RESTInvoker.java
@@ -105,6 +105,9 @@ class RESTInvoker {
org.apache.commons.codec.binary.Base64.encodeBase64String((username +
":" + password).getBytes());
request.addHeader(new BasicHeader("Authorization", "Basic " + encodedCreds));
+ // Ambari CSRF protection
+ request.addHeader("X-Requested-By", "Knox");
+
response = httpClient.execute(request);
if (HttpStatus.SC_OK == response.getStatusLine().getStatusCode()) {
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
index 71a5af9..eed8ec3 100644
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java
@@ -42,8 +42,11 @@ public class WebAppSecContributor extends
private static final String XFRAME_OPTIONS_SUFFIX = "_XFRAMEOPTIONS";
private static final String XFRAME_OPTIONS_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter";
private static final String XFRAME_OPTIONS_ENABLED = "xframe.options.enabled";
+ private static final String XSS_PROTECTION_SUFFIX = "_XSSPROTECTION";
+ private static final String XSS_PROTECTION_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.XSSProtectionFilter";
+ private static final String XSS_PROTECTION_ENABLED = "xss.protection.enabled";
private static final String STRICT_TRANSPORT_SUFFIX = "_STRICTTRANSPORT";
- private static final String STRICT_TRANSPORT_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.StrictTranportFilter";
+ private static final String STRICT_TRANSPORT_FILTER_CLASSNAME = "org.apache.knox.gateway.webappsec.filter.StrictTransportFilter";
private static final String STRICT_TRANSPORT_ENABLED = "strict.transport.enabled";
@@ -97,6 +100,14 @@ public class WebAppSecContributor extends
resource.addFilter().name( getName() + XFRAME_OPTIONS_SUFFIX ).role( getRole() ).impl(
XFRAME_OPTIONS_FILTER_CLASSNAME ).params( params );
}
+ // X-XSS-Protection - browser xss protection
+ params = new ArrayList<FilterParamDescriptor>();
+ String xssProtectionEnabled = map.get(XSS_PROTECTION_ENABLED);
+ if ( xssProtectionEnabled != null && "true".equals(xssProtectionEnabled)) {
+ provisionConfig(resource, providerParams, params, "xss.");
+ resource.addFilter().name( getName() + XSS_PROTECTION_SUFFIX ).role( getRole() ).impl(
XSS_PROTECTION_FILTER_CLASSNAME ).params( params );
+ }
+
// HTTP Strict-Transport-Security
params = new ArrayList<FilterParamDescriptor>();
String strictTranportEnabled = map.get(STRICT_TRANSPORT_ENABLED);
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
deleted file mode 100644
index 0856297..0000000
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTranportFilter.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.webappsec.filter;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
-
-/**
- * This filter protects proxied webapps from protocol downgrade attacks
- * and cookie hijacking.
- */
-public class StrictTranportFilter implements Filter {
- private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
- private static final String CUSTOM_HEADER_PARAM = "strict.transport";
-
- private String option = "max-age=31536000";
-
- /* (non-Javadoc)
- * @see javax.servlet.Filter#destroy()
- */
- @Override
- public void destroy() {
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
- */
- @Override
- public void doFilter(ServletRequest req, ServletResponse res,
- FilterChain chain) throws IOException, ServletException {
- ((HttpServletResponse) res).setHeader(STRICT_TRANSPORT, option);
- chain.doFilter(req, new StrictTranportResponseWrapper((HttpServletResponse) res));
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
- */
- @Override
- public void init(FilterConfig config) throws ServletException {
- String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
- if (customOption != null) {
- option = customOption;
- }
- }
-
- public class StrictTranportResponseWrapper extends HttpServletResponseWrapper {
- @Override
- public void addHeader(String name, String value) {
- // don't allow additional values to be added to
- // the configured options value in topology
- if (!name.equals(STRICT_TRANSPORT)) {
- super.addHeader(name, value);
- }
- }
-
- @Override
- public void setHeader(String name, String value) {
- // don't allow overwriting of configured value
- if (!name.equals(STRICT_TRANSPORT)) {
- super.setHeader(name, value);
- }
- }
-
- /**
- * construct a wrapper for this request
- *
- * @param request
- */
- public StrictTranportResponseWrapper(HttpServletResponse response) {
- super(response);
- }
-
- @Override
- public String getHeader(String name) {
- String headerValue = null;
- if (name.equals(STRICT_TRANSPORT)) {
- headerValue = option;
- }
- else {
- headerValue = super.getHeader(name);
- }
- return headerValue;
- }
-
- /**
- * get the Header names
- */
- @Override
- public Collection<String> getHeaderNames() {
- List<String> names = (List<String>) super.getHeaderNames();
- if (names == null) {
- names = new ArrayList<String>();
- }
- names.add(STRICT_TRANSPORT);
- return names;
- }
-
- @Override
- public Collection<String> getHeaders(String name) {
- List<String> values = (List<String>) super.getHeaders(name);
- if (name.equals(STRICT_TRANSPORT)) {
- if (values == null) {
- values = new ArrayList<String>();
- }
- values.add(option);
- }
- return values;
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
new file mode 100644
index 0000000..91b6122
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/StrictTransportFilter.java
@@ -0,0 +1,137 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+/**
+ * This filter protects proxied webapps from protocol downgrade attacks
+ * and cookie hijacking.
+ */
+public class StrictTransportFilter implements Filter {
+ private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
+ private static final String CUSTOM_HEADER_PARAM = "strict.transport";
+
+ private String option = "max-age=31536000";
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#destroy()
+ */
+ @Override
+ public void destroy() {
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
+ */
+ @Override
+ public void doFilter(ServletRequest req, ServletResponse res,
+ FilterChain chain) throws IOException, ServletException {
+ ((HttpServletResponse) res).setHeader(STRICT_TRANSPORT, option);
+ chain.doFilter(req, new StrictTransportResponseWrapper((HttpServletResponse) res));
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+ */
+ @Override
+ public void init(FilterConfig config) throws ServletException {
+ String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
+ if (customOption != null) {
+ option = customOption;
+ }
+ }
+
+ public class StrictTransportResponseWrapper extends HttpServletResponseWrapper {
+ @Override
+ public void addHeader(String name, String value) {
+ // don't allow additional values to be added to
+ // the configured options value in topology
+ if (!name.equals(STRICT_TRANSPORT)) {
+ super.addHeader(name, value);
+ }
+ }
+
+ @Override
+ public void setHeader(String name, String value) {
+ // don't allow overwriting of configured value
+ if (!name.equals(STRICT_TRANSPORT)) {
+ super.setHeader(name, value);
+ }
+ }
+
+ /**
+ * construct a wrapper for this response
+ *
+ * @param response
+ */
+ public StrictTransportResponseWrapper(HttpServletResponse response) {
+ super(response);
+ }
+
+ @Override
+ public String getHeader(String name) {
+ String headerValue = null;
+ if (name.equals(STRICT_TRANSPORT)) {
+ headerValue = option;
+ }
+ else {
+ headerValue = super.getHeader(name);
+ }
+ return headerValue;
+ }
+
+ /**
+ * get the Header names
+ */
+ @Override
+ public Collection<String> getHeaderNames() {
+ List<String> names = (List<String>) super.getHeaderNames();
+ if (names == null) {
+ names = new ArrayList<String>();
+ }
+ names.add(STRICT_TRANSPORT);
+ return names;
+ }
+
+ @Override
+ public Collection<String> getHeaders(String name) {
+ List<String> values = (List<String>) super.getHeaders(name);
+ if (name.equals(STRICT_TRANSPORT)) {
+ if (values == null) {
+ values = new ArrayList<String>();
+ }
+ values.add(option);
+ }
+ return values;
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
index 3c67764..e980a2e 100644
--- a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XFrameOptionsFilter.java
@@ -88,9 +88,9 @@ public class XFrameOptionsFilter implements Filter {
}
/**
- * construct a wrapper for this request
+ * construct a wrapper for this response
*
- * @param request
+ * @param response
*/
public XFrameOptionsResponseWrapper(HttpServletResponse response) {
super(response);
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
new file mode 100644
index 0000000..d3515ed
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/filter/XSSProtectionFilter.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.webappsec.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class XSSProtectionFilter implements Filter {
+
+ public static final String X_XSS_PROTECTION = "X-XSS-Protection";
+ public static final String CUSTOM_HEADER_PARAM = "xss.protection";
+
+ public static final String DEFAULT_VALUE = "1;mode=block";
+
+
+ private String option = DEFAULT_VALUE;
+
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+ */
+ @Override
+ public void init(FilterConfig config) throws ServletException {
+ String customOption = config.getInitParameter(CUSTOM_HEADER_PARAM);
+ if (customOption != null) {
+ option = customOption;
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
javax.servlet.FilterChain)
+ */
+ @Override
+ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws
IOException, ServletException {
+ ((HttpServletResponse) res).setHeader(X_XSS_PROTECTION, option);
+ chain.doFilter(req, new XSSProtectionResponseWrapper((HttpServletResponse) res));
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.Filter#destroy()
+ */
+ @Override
+ public void destroy() {
+ }
+
+
+ class XSSProtectionResponseWrapper extends HttpServletResponseWrapper {
+
+ XSSProtectionResponseWrapper(HttpServletResponse res) {
+ super(res);
+ }
+
+ @Override
+ public void addHeader(String name, String value) {
+ // don't allow additional values to be added to
+ // the configured options value in topology
+ if (!name.equals(X_XSS_PROTECTION)) {
+ super.addHeader(name, value);
+ }
+ }
+
+ @Override
+ public void setHeader(String name, String value) {
+ // don't allow overwriting of configured value
+ if (!name.equals(X_XSS_PROTECTION)) {
+ super.setHeader(name, value);
+ }
+ }
+
+ @Override
+ public String getHeader(String name) {
+ String headerValue = null;
+ if (name.equals(X_XSS_PROTECTION)) {
+ headerValue = option;
+ }
+ else {
+ headerValue = super.getHeader(name);
+ }
+ return headerValue;
+ }
+
+ /**
+ * get the Header names
+ */
+ @Override
+ public Collection<String> getHeaderNames() {
+ List<String> names = (List<String>) super.getHeaderNames();
+ if (names == null) {
+ names = new ArrayList();
+ }
+ names.add(X_XSS_PROTECTION);
+ return names;
+ }
+
+ @Override
+ public Collection<String> getHeaders(String name) {
+ List<String> values = (List<String>) super.getHeaders(name);
+ if (name.equals(X_XSS_PROTECTION)) {
+ if (values == null) {
+ values = new ArrayList();
+ }
+ values.add(option);
+ }
+ return values;
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
deleted file mode 100644
index fa0b5b6..0000000
--- a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTranportFilterTest.java
+++ /dev/null
@@ -1,164 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.knox.gateway.webappsec;
-
-import static org.junit.Assert.fail;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Enumeration;
-import java.util.Properties;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.knox.gateway.webappsec.filter.StrictTranportFilter;
-import org.easymock.EasyMock;
-import org.junit.Assert;
-import org.junit.Test;
-
-/**
- *
- */
-public class StrictTranportFilterTest {
- /**
- *
- */
- private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
- String options = null;
- Collection<String> headerNames = null;
- Collection<String> headers = null;
-
- @Test
- public void testDefaultOptionsValue() throws Exception {
- try {
- StrictTranportFilter filter = new StrictTranportFilter();
- Properties props = new Properties();
- props.put("strict.transport.enabled", "true");
- filter.init(new TestFilterConfig(props));
-
- HttpServletRequest request = EasyMock.createNiceMock(
- HttpServletRequest.class);
- HttpServletResponse response = EasyMock.createNiceMock(
- HttpServletResponse.class);
- EasyMock.replay(request);
- EasyMock.replay(response);
-
- TestFilterChain chain = new TestFilterChain();
- filter.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.",
- chain.doFilterCalled );
- Assert.assertTrue("Options value incorrect should be max-age=31536000 but is: "
- + options, "max-age=31536000".equals(options));
-
- Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
- @Test
- public void testConfiguredOptionsValue() throws Exception {
- try {
- StrictTranportFilter filter = new StrictTranportFilter();
- Properties props = new Properties();
- props.put("strict.transport.enabled", "true");
- props.put("strict.transport", "max-age=31536010; includeSubDomains");
- filter.init(new TestFilterConfig(props));
-
- HttpServletRequest request = EasyMock.createNiceMock(
- HttpServletRequest.class);
- HttpServletResponse response = EasyMock.createNiceMock(
- HttpServletResponse.class);
- EasyMock.replay(request);
- EasyMock.replay(response);
-
- TestFilterChain chain = new TestFilterChain();
- filter.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.",
- chain.doFilterCalled );
- Assert.assertTrue("Options value incorrect should be max-age=31536010; includeSubDomains
but is: "
- + options, "max-age=31536010; includeSubDomains".equals(options));
-
- Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
- class TestFilterConfig implements FilterConfig {
- Properties props = null;
-
- public TestFilterConfig(Properties props) {
- this.props = props;
- }
-
- @Override
- public String getFilterName() {
- return null;
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getServletContext()
- */
- @Override
- public ServletContext getServletContext() {
- return null;
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
- */
- @Override
- public String getInitParameter(String name) {
- return props.getProperty(name, null);
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getInitParameterNames()
- */
- @Override
- public Enumeration<String> getInitParameterNames() {
- return null;
- }
-
- }
-
- class TestFilterChain implements FilterChain {
- boolean doFilterCalled = false;
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
- */
- @Override
- public void doFilter(ServletRequest request, ServletResponse response)
- throws IOException, ServletException {
- doFilterCalled = true;
- options = ((HttpServletResponse)response).getHeader(STRICT_TRANSPORT);
- headerNames = ((HttpServletResponse)response).getHeaderNames();
- headers = ((HttpServletResponse)response).getHeaders(STRICT_TRANSPORT);
- }
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
new file mode 100644
index 0000000..59af5e1
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/StrictTransportFilterTest.java
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.webappsec;
+
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Properties;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.webappsec.filter.StrictTransportFilter;
+import org.easymock.EasyMock;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class StrictTransportFilterTest {
+ /**
+ *
+ */
+ private static final String STRICT_TRANSPORT = "Strict-Transport-Security";
+ String options = null;
+ Collection<String> headerNames = null;
+ Collection<String> headers = null;
+
+ @Test
+ public void testDefaultOptionsValue() throws Exception {
+ try {
+ StrictTransportFilter filter = new StrictTransportFilter();
+ Properties props = new Properties();
+ props.put("strict.transport.enabled", "true");
+ filter.init(new TestFilterConfig(props));
+
+ HttpServletRequest request = EasyMock.createNiceMock(
+ HttpServletRequest.class);
+ HttpServletResponse response = EasyMock.createNiceMock(
+ HttpServletResponse.class);
+ EasyMock.replay(request);
+ EasyMock.replay(response);
+
+ TestFilterChain chain = new TestFilterChain();
+ filter.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.",
+ chain.doFilterCalled );
+ Assert.assertTrue("Options value incorrect should be max-age=31536000 but is: "
+ + options, "max-age=31536000".equals(options));
+
+ Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testConfiguredOptionsValue() throws Exception {
+ try {
+ StrictTransportFilter filter = new StrictTransportFilter();
+ Properties props = new Properties();
+ props.put("strict.transport.enabled", "true");
+ props.put("strict.transport", "max-age=31536010; includeSubDomains");
+ filter.init(new TestFilterConfig(props));
+
+ HttpServletRequest request = EasyMock.createNiceMock(
+ HttpServletRequest.class);
+ HttpServletResponse response = EasyMock.createNiceMock(
+ HttpServletResponse.class);
+ EasyMock.replay(request);
+ EasyMock.replay(response);
+
+ TestFilterChain chain = new TestFilterChain();
+ filter.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.",
+ chain.doFilterCalled );
+ Assert.assertTrue("Options value incorrect should be max-age=31536010; includeSubDomains
but is: "
+ + options, "max-age=31536010; includeSubDomains".equals(options));
+
+ Assert.assertTrue("Strict-Transport-Security count not equal to 1.", headers.size()
== 1);
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ class TestFilterConfig implements FilterConfig {
+ Properties props = null;
+
+ public TestFilterConfig(Properties props) {
+ this.props = props;
+ }
+
+ @Override
+ public String getFilterName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getServletContext()
+ */
+ @Override
+ public ServletContext getServletContext() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
+ */
+ @Override
+ public String getInitParameter(String name) {
+ return props.getProperty(name, null);
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameterNames()
+ */
+ @Override
+ public Enumeration<String> getInitParameterNames() {
+ return null;
+ }
+
+ }
+
+ class TestFilterChain implements FilterChain {
+ boolean doFilterCalled = false;
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response)
+ throws IOException, ServletException {
+ doFilterCalled = true;
+ options = ((HttpServletResponse)response).getHeader(STRICT_TRANSPORT);
+ headerNames = ((HttpServletResponse)response).getHeaderNames();
+ headers = ((HttpServletResponse)response).getHeaders(STRICT_TRANSPORT);
+ }
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
new file mode 100644
index 0000000..e6bc3de
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/test/java/org/apache/knox/gateway/webappsec/XSSProtectionFilterTest.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.webappsec;
+
+import org.apache.knox.gateway.webappsec.filter.XSSProtectionFilter;
+import org.easymock.EasyMock;
+import org.junit.Assert;
+import org.junit.Test;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Properties;
+
+import static org.junit.Assert.fail;
+
+public class XSSProtectionFilterTest {
+
+ private String options = null;
+ private Collection<String> headers = null;
+
+ @Test
+ public void testDefaultOptionsValue() throws Exception {
+ try {
+ final String expectedDefaultValue = XSSProtectionFilter.DEFAULT_VALUE;
+
+ XSSProtectionFilter filter = new XSSProtectionFilter();
+ Properties props = new Properties();
+ props.put("xss.protection.enabled", "true");
+ filter.init(new TestFilterConfig(props));
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.replay(request);
+ EasyMock.replay(response);
+
+ TestFilterChain chain = new TestFilterChain();
+ filter.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled );
+ Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " value incorrect.", expectedDefaultValue,
options);
+ Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " count incorrect.", 1,
headers.size());
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testConfiguredOptionsValue() throws Exception {
+ try {
+ final String customOption = "1;report=http://example.com/report_URI";
+
+ XSSProtectionFilter filter = new XSSProtectionFilter();
+ Properties props = new Properties();
+ props.put("xss.protection.enabled", "true");
+ props.put("xss.protection", customOption);
+ filter.init(new TestFilterConfig(props));
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.replay(request);
+ EasyMock.replay(response);
+
+ TestFilterChain chain = new TestFilterChain();
+ filter.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled );
+ Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " value incorrect", customOption,
options);
+ Assert.assertEquals(XSSProtectionFilter.X_XSS_PROTECTION + " count incorrect.", 1,
headers.size());
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ private static class TestFilterConfig implements FilterConfig {
+ Properties props = null;
+
+ public TestFilterConfig(Properties props) {
+ this.props = props;
+ }
+
+ @Override
+ public String getFilterName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getServletContext()
+ */
+ @Override
+ public ServletContext getServletContext() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
+ */
+ @Override
+ public String getInitParameter(String name) {
+ return props.getProperty(name, null);
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameterNames()
+ */
+ @Override
+ public Enumeration<String> getInitParameterNames() {
+ return null;
+ }
+
+ }
+
+ class TestFilterChain implements FilterChain {
+ boolean doFilterCalled = false;
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response) throws IOException,
ServletException {
+ doFilterCalled = true;
+ options = ((HttpServletResponse)response).getHeader(XSSProtectionFilter.X_XSS_PROTECTION);
+ headers = ((HttpServletResponse)response).getHeaders(XSSProtectionFilter.X_XSS_PROTECTION);
+ }
+
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/2a8d8661/gateway-release/home/conf/topologies/manager.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/conf/topologies/manager.xml b/gateway-release/home/conf/topologies/manager.xml
index 0c5d975..4fca820 100644
--- a/gateway-release/home/conf/topologies/manager.xml
+++ b/gateway-release/home/conf/topologies/manager.xml
@@ -27,6 +27,7 @@
<param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param>
<param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param>
<param><name>xframe.options.enabled</name><value>true</value></param>
+ <param><name>xss.protection.enabled</name><value>true</value></param>
<param><name>strict.transport.enabled</name><value>true</value></param>
</provider>
|