/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.web.server;
import org.springframework.security.web.server.header.CacheControlHttpHeadersWriter;
import org.springframework.security.web.server.header.CompositeHttpHeadersWriter;
import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.HttpHeaderWriterWebFilter;
import org.springframework.security.web.server.header.HttpHeadersWriter;
import org.springframework.security.web.server.header.StrictTransportSecurityHttpHeadersWriter;
import org.springframework.security.web.server.header.XFrameOptionsHttpHeadersWriter;
import org.springframework.security.web.server.header.XXssProtectionHttpHeadersWriter;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* @author Rob Winch
* @since 5.0
*/
public class HeaderBuilder {
private final List<HttpHeadersWriter> writers;
private CacheControlHttpHeadersWriter cacheControl = new CacheControlHttpHeadersWriter();
private ContentTypeOptionsHttpHeadersWriter contentTypeOptions = new ContentTypeOptionsHttpHeadersWriter();
private StrictTransportSecurityHttpHeadersWriter hsts = new StrictTransportSecurityHttpHeadersWriter();
private XFrameOptionsHttpHeadersWriter frameOptions = new XFrameOptionsHttpHeadersWriter();
private XXssProtectionHttpHeadersWriter xss = new XXssProtectionHttpHeadersWriter();
public HeaderBuilder() {
this.writers = new ArrayList<>(Arrays.asList(cacheControl, contentTypeOptions, hsts, frameOptions, xss));
}
public CacheSpec cache() {
return new CacheSpec();
}
public ContentTypeOptionsSpec contentTypeOptions() {
return new ContentTypeOptionsSpec();
}
public FrameOptionsSpec frameOptions() {
return new FrameOptionsSpec();
}
public HstsSpec hsts() {
return new HstsSpec();
}
public HttpHeaderWriterWebFilter build() {
HttpHeadersWriter writer = new CompositeHttpHeadersWriter(writers);
return new HttpHeaderWriterWebFilter(writer);
}
public XssProtectionSpec xssProtection() {
return new XssProtectionSpec();
}
public class CacheSpec {
public void disable() {
writers.remove(cacheControl);
}
private CacheSpec() {}
}
public class ContentTypeOptionsSpec {
public void disable() {
writers.remove(contentTypeOptions);
}
private ContentTypeOptionsSpec() {}
}
public class FrameOptionsSpec {
public void mode(XFrameOptionsHttpHeadersWriter.Mode mode) {
frameOptions.setMode(mode);
}
public void disable() {
writers.remove(frameOptions);
}
private FrameOptionsSpec() {}
}
public class HstsSpec {
public void maxAge(Duration maxAge) {
hsts.setMaxAge(maxAge);
}
public void includeSubdomains(boolean includeSubDomains) {
hsts.setIncludeSubDomains(includeSubDomains);
}
public void disable() {
writers.remove(hsts);
}
private HstsSpec() {}
}
public class XssProtectionSpec {
public void disable() {
writers.remove(xss);
}
private XssProtectionSpec() {}
}
}