You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by th...@apache.org on 2022/05/06 16:23:40 UTC
[nifi] branch main updated: NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter
This is an automated email from the ASF dual-hosted git repository.
thenatog pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new ea75a0a996 NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter
ea75a0a996 is described below
commit ea75a0a996ad937dcf501ab1dda8411b93d2f093
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Fri May 6 08:18:52 2022 -0500
NIFI-9995 Replaced Custom Filters with Spring Security HeaderWriter
Signed-off-by: Nathan Gough <th...@gmail.com>
This closes #6020.
---
.../filter/StandardRequestFilterProvider.java | 38 +++--
.../filter/RestApiRequestFilterProviderTest.java | 10 +-
.../filter/StandardRequestFilterProviderTest.java | 12 +-
.../headers/ContentSecurityPolicyFilter.java | 57 --------
.../headers/StrictTransportSecurityFilter.java | 58 --------
.../headers/XContentTypeOptionsFilter.java | 58 --------
.../web/security/headers/XFrameOptionsFilter.java | 58 --------
.../web/security/headers/XSSProtectionFilter.java | 58 --------
.../security/headers/HTTPHeaderFiltersTest.java | 160 ---------------------
9 files changed, 31 insertions(+), 478 deletions(-)
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java
index eab2f70815..f8f8aaea59 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/filter/StandardRequestFilterProvider.java
@@ -20,18 +20,21 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.DataUnit;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter;
-import org.apache.nifi.web.security.headers.StrictTransportSecurityFilter;
-import org.apache.nifi.web.security.headers.XContentTypeOptionsFilter;
-import org.apache.nifi.web.security.headers.XFrameOptionsFilter;
-import org.apache.nifi.web.security.headers.XSSProtectionFilter;
import org.apache.nifi.web.security.requests.ContentLengthFilter;
import org.apache.nifi.web.server.log.RequestAuthenticationFilter;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlets.DoSFilter;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.HeaderWriterFilter;
+import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
+import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import javax.servlet.Filter;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
@@ -42,6 +45,8 @@ import java.util.concurrent.TimeUnit;
public class StandardRequestFilterProvider implements RequestFilterProvider {
private static final int MAX_CONTENT_SIZE_DISABLED = 0;
+ private static final String STANDARD_CONTENT_POLICY = "frame-ancestors 'self'";
+
/**
* Get Filters using provided NiFi Properties
*
@@ -54,13 +59,9 @@ public class StandardRequestFilterProvider implements RequestFilterProvider {
final List<FilterHolder> filters = new ArrayList<>();
- filters.add(getFilterHolder(XFrameOptionsFilter.class));
- filters.add(getFilterHolder(ContentSecurityPolicyFilter.class));
- filters.add(getFilterHolder(XSSProtectionFilter.class));
- filters.add(getFilterHolder(XContentTypeOptionsFilter.class));
+ filters.add(getHeaderWriterFilter());
if (properties.isHTTPSConfigured()) {
- filters.add(getFilterHolder(StrictTransportSecurityFilter.class));
filters.add(getFilterHolder(RequestAuthenticationFilter.class));
}
@@ -92,6 +93,21 @@ public class StandardRequestFilterProvider implements RequestFilterProvider {
return filter;
}
+ private FilterHolder getHeaderWriterFilter() {
+ final List<HeaderWriter> headerWriters = Arrays.asList(
+ new ContentSecurityPolicyHeaderWriter(STANDARD_CONTENT_POLICY),
+ new HstsHeaderWriter(),
+ new XContentTypeOptionsHeaderWriter(),
+ new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN),
+ new XXssProtectionHeaderWriter()
+ );
+
+ final HeaderWriterFilter headerWriterFilter = new HeaderWriterFilter(headerWriters);
+ final FilterHolder filterHolder = new FilterHolder(headerWriterFilter);
+ filterHolder.setName(HeaderWriterFilter.class.getSimpleName());
+ return filterHolder;
+ }
+
private FilterHolder getFilterHolder(final Class<? extends Filter> filterClass) {
final FilterHolder filter = new FilterHolder(filterClass);
filter.setName(filterClass.getSimpleName());
@@ -99,7 +115,7 @@ public class StandardRequestFilterProvider implements RequestFilterProvider {
}
private FilterHolder getContentLengthFilter(final int maxContentSize) {
- final FilterHolder filter = new FilterHolder(ContentLengthFilter.class);
+ final FilterHolder filter = getFilterHolder(ContentLengthFilter.class);
filter.setInitParameter(ContentLengthFilter.MAX_LENGTH_INIT_PARAM, Integer.toString(maxContentSize));
filter.setName(ContentLengthFilter.class.getSimpleName());
return filter;
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/RestApiRequestFilterProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/RestApiRequestFilterProviderTest.java
index b00f308170..30e27a7240 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/RestApiRequestFilterProviderTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/RestApiRequestFilterProviderTest.java
@@ -17,14 +17,11 @@
package org.apache.nifi.web.server.filter;
import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter;
-import org.apache.nifi.web.security.headers.XContentTypeOptionsFilter;
-import org.apache.nifi.web.security.headers.XFrameOptionsFilter;
-import org.apache.nifi.web.security.headers.XSSProtectionFilter;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlets.DoSFilter;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
+import org.springframework.security.web.header.HeaderWriterFilter;
import javax.servlet.Filter;
import java.util.Collections;
@@ -59,11 +56,8 @@ public class RestApiRequestFilterProviderTest {
assertNotNull(filters);
assertFalse(filters.isEmpty());
+ assertFilterClassFound(filters, HeaderWriterFilter.class);
assertFilterClassFound(filters, DataTransferExcludedDoSFilter.class);
- assertFilterClassFound(filters, XFrameOptionsFilter.class);
- assertFilterClassFound(filters, ContentSecurityPolicyFilter.class);
- assertFilterClassFound(filters, XSSProtectionFilter.class);
- assertFilterClassFound(filters, XContentTypeOptionsFilter.class);
}
private void assertFilterClassFound(final List<FilterHolder> filters, final Class<? extends Filter> filterClass) {
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/StandardRequestFilterProviderTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/StandardRequestFilterProviderTest.java
index feb4ba0148..037367459b 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/StandardRequestFilterProviderTest.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/filter/StandardRequestFilterProviderTest.java
@@ -17,16 +17,12 @@
package org.apache.nifi.web.server.filter;
import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter;
-import org.apache.nifi.web.security.headers.StrictTransportSecurityFilter;
-import org.apache.nifi.web.security.headers.XContentTypeOptionsFilter;
-import org.apache.nifi.web.security.headers.XFrameOptionsFilter;
-import org.apache.nifi.web.security.headers.XSSProtectionFilter;
import org.apache.nifi.web.security.requests.ContentLengthFilter;
import org.apache.nifi.web.server.log.RequestAuthenticationFilter;
import org.eclipse.jetty.servlet.FilterHolder;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
+import org.springframework.security.web.header.HeaderWriterFilter;
import javax.servlet.Filter;
import java.util.Collections;
@@ -83,18 +79,14 @@ public class StandardRequestFilterProviderTest {
assertStandardFiltersFound(filters);
assertFilterClassFound(filters, RequestAuthenticationFilter.class);
- assertFilterClassFound(filters, StrictTransportSecurityFilter.class);
}
private void assertStandardFiltersFound(final List<FilterHolder> filters) {
assertNotNull(filters);
assertFalse(filters.isEmpty());
+ assertFilterClassFound(filters, HeaderWriterFilter.class);
assertFilterClassFound(filters, DataTransferExcludedDoSFilter.class);
- assertFilterClassFound(filters, XFrameOptionsFilter.class);
- assertFilterClassFound(filters, ContentSecurityPolicyFilter.class);
- assertFilterClassFound(filters, XSSProtectionFilter.class);
- assertFilterClassFound(filters, XContentTypeOptionsFilter.class);
}
private void assertFilterClassFound(final List<FilterHolder> filters, final Class<? extends Filter> filterClass) {
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/ContentSecurityPolicyFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/ContentSecurityPolicyFilter.java
deleted file mode 100644
index ca4cd0f74f..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/ContentSecurityPolicyFilter.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import javax.servlet.Filter;
-import javax.servlet.FilterConfig;
-
-/**
- * A filter to apply the Content Security Policy header.
- *
- */
-public class ContentSecurityPolicyFilter implements Filter {
- private static final String HEADER = "Content-Security-Policy";
- private static final String POLICY = "frame-ancestors 'self'";
-
- private static final Logger logger = LoggerFactory.getLogger(ContentSecurityPolicyFilter.class);
-
- @Override
- public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
- throws IOException, ServletException {
-
- final HttpServletResponse response = (HttpServletResponse) resp;
- response.setHeader(HEADER, POLICY);
-
- filterChain.doFilter(req, resp);
- }
-
- @Override
- public void init(final FilterConfig config) {
- }
-
- @Override
- public void destroy() {
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/StrictTransportSecurityFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/StrictTransportSecurityFilter.java
deleted file mode 100644
index 62468d7633..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/StrictTransportSecurityFilter.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * A filter to apply the HTTP Strict Transport Security (HSTS) HTTP header. This forces the browser to use HTTPS for
- * all
- */
-public class StrictTransportSecurityFilter implements Filter {
- private static final String HEADER = "Strict-Transport-Security";
- private static final String POLICY = "max-age=31540000";
-
- private static final Logger logger = LoggerFactory.getLogger(StrictTransportSecurityFilter.class);
-
- @Override
- public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
- throws IOException, ServletException {
-
- final HttpServletResponse response = (HttpServletResponse) resp;
- response.setHeader(HEADER, POLICY);
-
- filterChain.doFilter(req, resp);
- }
-
- @Override
- public void init(final FilterConfig config) {
- }
-
- @Override
- public void destroy() {
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XContentTypeOptionsFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XContentTypeOptionsFilter.java
deleted file mode 100644
index 710f5ffb26..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XContentTypeOptionsFilter.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * A filter to apply the X-Content-Type-Options header.
- *
- */
-public class XContentTypeOptionsFilter implements Filter {
- private static final String HEADER = "X-Content-Type-Options";
- private static final String POLICY = "nosniff";
-
- private static final Logger logger = LoggerFactory.getLogger(XContentTypeOptionsFilter.class);
-
- @Override
- public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
- throws IOException, ServletException {
-
- final HttpServletResponse response = (HttpServletResponse) resp;
- response.setHeader(HEADER, POLICY);
-
- filterChain.doFilter(req, resp);
- }
-
- @Override
- public void init(final FilterConfig config) {
- }
-
- @Override
- public void destroy() {
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XFrameOptionsFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XFrameOptionsFilter.java
deleted file mode 100644
index 44a1ac21f7..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XFrameOptionsFilter.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * A filter to apply the X-Frame-Options header.
- *
- */
-public class XFrameOptionsFilter implements Filter {
- private static final String HEADER = "X-Frame-Options";
- private static final String POLICY = "SAMEORIGIN";
-
- private static final Logger logger = LoggerFactory.getLogger(XFrameOptionsFilter.class);
-
- @Override
- public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
- throws IOException, ServletException {
-
- final HttpServletResponse response = (HttpServletResponse) resp;
- response.setHeader(HEADER, POLICY);
-
- filterChain.doFilter(req, resp);
- }
-
- @Override
- public void init(final FilterConfig config) {
- }
-
- @Override
- public void destroy() {
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XSSProtectionFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XSSProtectionFilter.java
deleted file mode 100644
index 4fdf4ac8d9..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/XSSProtectionFilter.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-/**
- * A filter to apply the Cross Site Scripting (XSS) HTTP header. Protects against reflected cross-site scripting attacks.
- * The browser will prevent rendering of the page if an attack is detected.
- */
-public class XSSProtectionFilter implements Filter {
- private static final String HEADER = "X-XSS-Protection";
- private static final String POLICY = "1; mode=block";
-
- private static final Logger logger = LoggerFactory.getLogger(XSSProtectionFilter.class);
-
- @Override
- public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
- throws IOException, ServletException {
-
- final HttpServletResponse response = (HttpServletResponse) resp;
- response.setHeader(HEADER, POLICY);
-
- filterChain.doFilter(req, resp);
- }
-
- @Override
- public void init(final FilterConfig config) {
- }
-
- @Override
- public void destroy() {
- }
-}
\ No newline at end of file
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/headers/HTTPHeaderFiltersTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/headers/HTTPHeaderFiltersTest.java
deleted file mode 100644
index b4fd0747fd..0000000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/headers/HTTPHeaderFiltersTest.java
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.headers;
-
-import org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter;
-import org.eclipse.jetty.servlet.FilterHolder;
-import org.eclipse.jetty.servlet.ServletHandler;
-import org.junit.Test;
-import org.mockito.Mockito;
-import org.springframework.mock.web.MockHttpServletResponse;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-import static org.junit.Assert.assertEquals;
-
-public class HTTPHeaderFiltersTest {
-
- @Test
- public void testCSPHeaderApplied() throws ServletException, IOException, Exception {
- // Arrange
-
- FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter());
-
- // Set up request
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- cspFilter.setServletHandler(new ServletHandler());
- cspFilter.start();
- cspFilter.initialize();
- cspFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("frame-ancestors 'self'", mockResponse.getHeader("Content-Security-Policy"));
- }
-
- @Test
- public void testCSPHeaderAppliedOnlyOnce() throws ServletException, IOException, Exception {
- // Arrange
-
- FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter());
-
- // Set up request
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- cspFilter.setServletHandler(new ServletHandler());
- cspFilter.start();
- cspFilter.initialize();
- cspFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
- cspFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("frame-ancestors 'self'", mockResponse.getHeader("Content-Security-Policy"));
- }
-
-
- @Test
- public void testXFrameOptionsHeaderApplied() throws ServletException, IOException, Exception {
- // Arrange
-
- FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
-
- // Set up request
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- xfoFilter.setServletHandler(new ServletHandler());
- xfoFilter.start();
- xfoFilter.initialize();
- xfoFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("SAMEORIGIN", mockResponse.getHeader("X-Frame-Options"));
- }
-
- @Test
- public void testHSTSHeaderApplied() throws ServletException, IOException, Exception {
- // Arrange
-
- FilterHolder hstsFilter = new FilterHolder(new StrictTransportSecurityFilter());
-
- // Set up request
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- hstsFilter.setServletHandler(new ServletHandler());
- hstsFilter.start();
- hstsFilter.initialize();
- hstsFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("max-age=31540000", mockResponse.getHeader("Strict-Transport-Security"));
- }
-
- @Test
- public void testXSSProtectionHeaderApplied() throws ServletException, IOException, Exception {
- // Arrange
-
- FilterHolder xssFilter = new FilterHolder(new XSSProtectionFilter());
-
- // Set up request
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- xssFilter.setServletHandler(new ServletHandler());
- xssFilter.start();
- xssFilter.initialize();
- xssFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("1; mode=block", mockResponse.getHeader("X-XSS-Protection"));
- }
-
- @Test
- public void testXContentTypeOptionsHeaderApplied() throws Exception {
- // Arrange
- FilterHolder xContentTypeFilter = new FilterHolder(new XContentTypeOptionsFilter());
-
- HttpServletRequest mockRequest = Mockito.mock(HttpServletRequest.class);
- MockHttpServletResponse mockResponse = new MockHttpServletResponse();
- FilterChain mockFilterChain = Mockito.mock(FilterChain.class);
-
- // Action
- xContentTypeFilter.setServletHandler(new ServletHandler());
- xContentTypeFilter.start();
- xContentTypeFilter.initialize();
- xContentTypeFilter.getFilter().doFilter(mockRequest, mockResponse, mockFilterChain);
-
- // Verify
- assertEquals("nosniff", mockResponse.getHeader("X-Content-Type-Options"));
- }
-}
\ No newline at end of file