/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.ambari.server.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.inject.Inject;
/**
* AbstractSecurityHeaderFilter is an abstract class used to help add security-related headers to
* HTTP responses.
* <p/>
* This class is to be implemented to set the values for the following headers:
* <ol>
* <li>Strict-Transport-Security</li>
* <li>X-Frame-Options</li>
* <li>X-XSS-Protection</li>
* </ol>
* <p/>
* If the value for a particular header item is empty (or null) that header will not be added to the
* set of response headers.
*/
public abstract class AbstractSecurityHeaderFilter implements Filter {
protected final static String STRICT_TRANSPORT_HEADER = "Strict-Transport-Security";
protected final static String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";
protected final static String X_XSS_PROTECTION_HEADER = "X-XSS-Protection";
protected final static String X_CONTENT_TYPE_HEADER = "X-Content-Type-Options";
protected final static String CACHE_CONTROL_HEADER = "Cache-Control";
protected final static String PRAGMA_HEADER = "Pragma";
/**
* The logger.
*/
private final static Logger LOG = LoggerFactory.getLogger(AbstractSecurityHeaderFilter.class);
/**
* Signals whether subsequent filters are allowed to override security headers
*/
protected final static String DENY_HEADER_OVERRIDES_FLAG = "deny.header.overrides.flag";
/**
* The Configuration object used to determine how Ambari is configured
*/
@Inject
private Configuration configuration;
/**
* Indicates whether Ambari is configured for SSL (true) or not (false). By default true is assumed
* since preparing for more security will not hurt and is better than not assuming SSL is enabled
* when it is.
*/
private boolean sslEnabled = true;
/**
* The value for the Strict-Transport-Security HTTP response header.
*/
private String strictTransportSecurity = Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue();
/**
* The value for the X-Frame-Options HTTP response header.
*/
private String xFrameOptionsHeader = Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue();
/**
* The value for the X-XSS-Protection HTTP response header.
*/
private String xXSSProtectionHeader = Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue();
/**
* The value for the Content-Type HTTP response header.
*/
private String xContentTypeHeader = Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue();
/**
* The value for the Cache-control HTTP response header.
*/
private String cacheControlHeader = Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue();
/**
* The value for the Pragma HTTP response header.
*/
private String pragmaHeader = Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue();
/**
* The value for the Charset HTTP response header.
*/
private String charset = Configuration.HTTP_CHARSET.getDefaultValue();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
LOG.debug("Initializing {}", this.getClass().getName());
if (configuration == null) {
LOG.warn("The Ambari configuration object is not available, all default options will be assumed.");
} else {
processConfig(configuration);
}
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
if (checkPrerequisites(servletRequest)) {
doFilterInternal(servletRequest, servletResponse);
}
filterChain.doFilter(servletRequest, servletResponse);
}
/**
* Checks whether the security headers need to be set, if so signals it in a request parameter.
*
* @param servletRequest the incoming request
* @return true if headers need to be set, false otherwise
*/
protected abstract boolean checkPrerequisites(ServletRequest servletRequest);
@Override
public void destroy() {
LOG.debug("Destroying {}", this.getClass().getName());
}
protected abstract void processConfig(Configuration configuration);
protected void setSslEnabled(boolean sslEnabled) {
this.sslEnabled = sslEnabled;
}
protected void setStrictTransportSecurity(String strictTransportSecurity) {
this.strictTransportSecurity = strictTransportSecurity;
}
protected void setxFrameOptionsHeader(String xFrameOptionsHeader) {
this.xFrameOptionsHeader = xFrameOptionsHeader;
}
protected void setxXSSProtectionHeader(String xXSSProtectionHeader) {
this.xXSSProtectionHeader = xXSSProtectionHeader;
}
protected void setXContentTypeHeader(String xContentTypeHeader) {
this.xContentTypeHeader = xContentTypeHeader;
}
protected void setCacheControlHeader(String cacheControlHeader) {
this.cacheControlHeader = cacheControlHeader;
}
protected void setPragmaHeader(String pragmaHeader) {
this.pragmaHeader = pragmaHeader;
}
protected void setCharset(String charset) {
this.charset = charset;
}
private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse) {
if (servletResponse instanceof HttpServletResponse) {
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
// Conditionally set the Strict-Transport-Security HTTP response header if SSL is enabled and
// a value is supplied
if (sslEnabled && !StringUtils.isEmpty(strictTransportSecurity)) {
httpServletResponse.setHeader(STRICT_TRANSPORT_HEADER, strictTransportSecurity);
}
if (!StringUtils.isEmpty(xFrameOptionsHeader)) {
// perform filter specific logic related to the X-Frame-Options HTTP response header
httpServletResponse.setHeader(X_FRAME_OPTIONS_HEADER, xFrameOptionsHeader);
}
// Conditionally set the X-XSS-Protection HTTP response header if a value is supplied
if (!StringUtils.isEmpty(xXSSProtectionHeader)) {
httpServletResponse.setHeader(X_XSS_PROTECTION_HEADER, xXSSProtectionHeader);
}
// Conditionally set the X-Content-Type HTTP response header if a value is supplied
if (!StringUtils.isEmpty(xContentTypeHeader)) {
httpServletResponse.setHeader(X_CONTENT_TYPE_HEADER, xContentTypeHeader);
}
// Conditionally set the X-Cache-Control HTTP response header if a value is supplied
if (!StringUtils.isEmpty(cacheControlHeader)) {
httpServletResponse.setHeader(CACHE_CONTROL_HEADER, cacheControlHeader);
}
// Conditionally set the X-Pragma HTTP response header if a value is supplied
if (!StringUtils.isEmpty(pragmaHeader)) {
httpServletResponse.setHeader(PRAGMA_HEADER, pragmaHeader);
}
// Conditionally set the Charset HTTP response header if a value is supplied
if (!StringUtils.isEmpty(charset)) {
httpServletResponse.setCharacterEncoding(charset);
}
}
}
}