You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by fp...@apache.org on 2020/10/20 19:16:36 UTC
[shiro] branch 1.7.x updated (74d4cb6 -> 42f303f)
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a change to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/shiro.git.
from 74d4cb6 Disable jsessionid URL rewriting by default
new 243e892 SslFilter with HTTP Strict Transport Security (HSTS)
new 434c86b Added SslFilterTest Naming of variables
new 42f303f Test cases with EasyMock
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/shiro/web/filter/authz/SslFilter.java | 101 +++++++++++++++++++-
.../shiro/web/filter/authz/SslFilterTest.java | 102 +++++++++++++++++++++
2 files changed, 201 insertions(+), 2 deletions(-)
create mode 100644 web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
[shiro] 03/03: Test cases with EasyMock
Posted by fp...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/shiro.git
commit 42f303f2eca6f75dcb00ef7170c9ea25e979dddd
Author: Björn Raupach <ra...@e2n.de>
AuthorDate: Sun Jan 15 14:15:26 2017 +0100
Test cases with EasyMock
---
.../apache/shiro/web/filter/authz/SslFilter.java | 9 +--
.../shiro/web/filter/authz/SslFilterTest.java | 82 ++++++++++++++++------
2 files changed, 64 insertions(+), 27 deletions(-)
diff --git a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
index a5e9dde..73048b0 100644
--- a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
+++ b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
@@ -112,11 +112,11 @@ public class SslFilter extends PortFilter {
*/
@Override
protected void postHandle(ServletRequest request, ServletResponse response) {
- if (hsts.enabled) {
+ if (hsts.isEnabled()) {
StringBuilder directives = new StringBuilder(64)
.append("max-age=").append(hsts.getMaxAge());
- if (hsts.includeSubDomains) {
+ if (hsts.isIncludeSubDomains()) {
directives.append("; includeSubDomains");
}
@@ -130,17 +130,18 @@ public class SslFilter extends PortFilter {
*/
public class HSTS {
+ public static final String HTTP_HEADER = "Strict-Transport-Security";
+
public static final boolean DEFAULT_ENABLED = false;
public static final int DEFAULT_MAX_AGE = 31536000; // approx. one year in seconds
public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false;
- public static final String HTTP_HEADER = "Strict-Transport-Security";
-
private boolean enabled;
private int maxAge;
private boolean includeSubDomains;
public HSTS() {
+ this.enabled = DEFAULT_ENABLED;
this.maxAge = DEFAULT_MAX_AGE;
this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS;
}
diff --git a/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
index 4136329..2e1fe2f 100644
--- a/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
+++ b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
@@ -18,49 +18,85 @@
*/
package org.apache.shiro.web.filter.authz;
+import java.util.HashMap;
+import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.Test;
import static org.apache.shiro.web.filter.authz.SslFilter.HSTS.*;
+import org.easymock.Capture;
+import org.easymock.CaptureType;
import static org.easymock.EasyMock.*;
+import org.easymock.IAnswer;
import static org.junit.Assert.*;
+import org.junit.Before;
public class SslFilterTest {
+
+ private HttpServletRequest request;
+ private HttpServletResponse response;
+ private SslFilter sslFilter;
+
+ @Before
+ public void before() {
+ request = createNiceMock(HttpServletRequest.class);
+ response = createNiceMock(HttpServletResponse.class);
+ sslFilter = new SslFilter();
+
+ final Map<String,String> headers = new HashMap<String,String>();
+
+ final Capture<String> capturedName = newCapture();
+ final Capture<String> capturedValue = newCapture();
+
+ // mock HttpServletResponse.getHeader
+ expect(response.getHeader(capture(capturedName))).andAnswer(new IAnswer<String>() {
+ @Override
+ public String answer() throws Throwable {
+ String name = capturedName.getValue();
+ return headers.get(name);
+ }
+
+ });
+
+ // mock HttpServletResponse.addHeader
+ response.addHeader(capture(capturedName), capture(capturedValue));
+ expectLastCall().andAnswer(new IAnswer<Void>() {
+ @Override
+ public Void answer() throws Throwable {
+ String name = capturedName.getValue();
+ String value = capturedValue.getValue();
+ headers.put(name, value);
+ return (null);
+ }
+ });
+
+ replay(response);
+ }
@Test
public void testDisabledByDefault() {
- HttpServletRequest request = createNiceMock(HttpServletRequest.class);
- HttpServletResponse response = createNiceMock(HttpServletResponse.class);
-
- SslFilter sslFilter = new SslFilter();
-
sslFilter.postHandle(request, response);
assertNull(response.getHeader(HTTP_HEADER));
}
@Test
public void testDefaultValues() {
- HttpServletRequest request = createNiceMock(HttpServletRequest.class);
- HttpServletResponse response = createNiceMock(HttpServletResponse.class);
-
-// String expected = new StringBuilder()
-// .append(HTTP_HEADER)
-// .append(": ")
-// .append("max-age=")
-// .append(DEFAULT_MAX_AGE)
-// .toString();
-// expect(response.addHeader(expected, expected))
-// .andReturn(expected)
-// .anyTimes();
- replay(response);
-//
- SslFilter sslFilter = new SslFilter();
sslFilter.getHsts().setEnabled(true);
-
sslFilter.postHandle(request, response);
-
- //assertEquals(expected, response.getHeader(HTTP_HEADER));
+ assertEquals("max-age=" + DEFAULT_MAX_AGE, response.getHeader(HTTP_HEADER));
}
+
+ @Test
+ public void testSetProperties() {
+ sslFilter.getHsts().setEnabled(true);
+ sslFilter.getHsts().setMaxAge(7776000);
+ sslFilter.getHsts().setIncludeSubDomains(true);
+ sslFilter.postHandle(request, response);
+
+ String expected = "max-age=" + 7776000 + "; includeSubDomains";
+ assertEquals(expected, response.getHeader(HTTP_HEADER));
+ }
+
}
[shiro] 01/03: SslFilter with HTTP Strict Transport Security (HSTS)
Posted by fp...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/shiro.git
commit 243e8924420518348141644175fb3dbfe0335f47
Author: Björn Raupach <ra...@e2n.de>
AuthorDate: Tue Jan 10 10:03:36 2017 +0100
SslFilter with HTTP Strict Transport Security (HSTS)
---
.../apache/shiro/web/filter/authz/SslFilter.java | 84 +++++++++++++++++++++-
1 file changed, 82 insertions(+), 2 deletions(-)
diff --git a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
index 3a6ab7a..d85bb23 100644
--- a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
+++ b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
@@ -20,6 +20,7 @@ package org.apache.shiro.web.filter.authz;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
/**
* Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured
@@ -30,21 +31,46 @@ import javax.servlet.ServletResponse;
* The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the
* request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
* <p/>
- * Example config:
+ * In addition the filter allows enabling HTTP Strict Transport Security (HSTS).
+ * This feature is opt-in and disabled by default. If enabled HSTS
+ * will prevent <b>any</b> communications from being sent over HTTP to the
+ * specified domain and will instead send all communications over HTTPS.
+ * </p>
+ * <b>Warning:</b> Use this setting only if you plan to enable SSL on every path.
+ * </p>
+ * Example configs:
* <pre>
* [urls]
* /secure/path/** = ssl
* </pre>
- *
+ * with HSTS enabled
+ * <pre>
+ * [main]
+ * ssl.hsts.enabled = true
+ * [urls]
+ * /** = ssl
+ * </pre>
* @since 1.0
+ * @see <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security (HSTS)</a>
*/
public class SslFilter extends PortFilter {
public static final int DEFAULT_HTTPS_PORT = 443;
public static final String HTTPS_SCHEME = "https";
+
+ private HSTS hsts;
public SslFilter() {
setPort(DEFAULT_HTTPS_PORT);
+ this.hsts = new HSTS();
+ }
+
+ public HSTS getHsts() {
+ return hsts;
+ }
+
+ public void setHsts(HSTS hsts) {
+ this.hsts = hsts;
}
@Override
@@ -73,4 +99,58 @@ public class SslFilter extends PortFilter {
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
}
+
+ @Override
+ protected void postHandle(ServletRequest request, ServletResponse response) throws Exception {
+ if (hsts.enabled) {
+ StringBuilder directives = new StringBuilder(64);
+ directives.append("max-age=").append(hsts.getMaxAge());
+ if (hsts.includeSubDomains) {
+ directives.append("; includeSubDomains");
+ }
+ HttpServletResponse resp = (HttpServletResponse) response;
+ resp.addHeader("Strict-Transport-Security", directives.toString());
+ }
+ }
+
+ public class HSTS {
+
+ static final boolean DEFAULT_ENABLED = false;
+ public static final int DEFAULT_EXPIRE_TIME = 31536000; // approx. one year in seconds
+ public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false;
+
+ private boolean enabled;
+ private int maxAge;
+ private boolean includeSubDomains;
+
+ public HSTS() {
+ this.maxAge = DEFAULT_EXPIRE_TIME;
+ this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS;
+ }
+
+ public boolean isEnabled() {
+ return enabled;
+ }
+
+ public void setEnabled(boolean enabled) {
+ this.enabled = enabled;
+ }
+
+ public int getMaxAge() {
+ return maxAge;
+ }
+
+ public void setMaxAge(int maxAge) {
+ this.maxAge = maxAge;
+ }
+
+ public boolean isIncludeSubDomains() {
+ return includeSubDomains;
+ }
+
+ public void setIncludeSubDomains(boolean includeSubDomains) {
+ this.includeSubDomains = includeSubDomains;
+ }
+
+ }
}
[shiro] 02/03: Added SslFilterTest Naming of variables
Posted by fp...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/shiro.git
commit 434c86bd5d486710feddf79601fff35fec8e9378
Author: Björn Raupach <ra...@e2n.de>
AuthorDate: Sun Jan 15 13:02:32 2017 +0100
Added SslFilterTest
Naming of variables
---
.../apache/shiro/web/filter/authz/SslFilter.java | 34 ++++++++---
.../shiro/web/filter/authz/SslFilterTest.java | 66 ++++++++++++++++++++++
2 files changed, 91 insertions(+), 9 deletions(-)
diff --git a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
index d85bb23..a5e9dde 100644
--- a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
+++ b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java
@@ -36,7 +36,11 @@ import javax.servlet.http.HttpServletResponse;
* will prevent <b>any</b> communications from being sent over HTTP to the
* specified domain and will instead send all communications over HTTPS.
* </p>
- * <b>Warning:</b> Use this setting only if you plan to enable SSL on every path.
+ * The {@link #getMaxAge() maxAge} property defaults {@code 31536000}, and
+ * {@link #isIncludeSubDomains includeSubDomains} is {@code false}.
+ * </p>
+ * <b>Warning:</b> Use this setting with care and only if you plan to enable
+ * SSL on every path.
* </p>
* Example configs:
* <pre>
@@ -100,31 +104,44 @@ public class SslFilter extends PortFilter {
return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
}
+ /**
+ * If HTTP Strict Transport Security (HSTS) is enabled the HTTP header
+ * will be written, otherwise this method does nothing.
+ * @param request the incoming {@code ServletRequest}
+ * @param response the outgoing {@code ServletResponse}
+ */
@Override
- protected void postHandle(ServletRequest request, ServletResponse response) throws Exception {
+ protected void postHandle(ServletRequest request, ServletResponse response) {
if (hsts.enabled) {
- StringBuilder directives = new StringBuilder(64);
- directives.append("max-age=").append(hsts.getMaxAge());
+ StringBuilder directives = new StringBuilder(64)
+ .append("max-age=").append(hsts.getMaxAge());
+
if (hsts.includeSubDomains) {
directives.append("; includeSubDomains");
}
+
HttpServletResponse resp = (HttpServletResponse) response;
- resp.addHeader("Strict-Transport-Security", directives.toString());
+ resp.addHeader(HSTS.HTTP_HEADER, directives.toString());
}
}
+ /**
+ * Helper class for HTTP Strict Transport Security (HSTS)
+ */
public class HSTS {
- static final boolean DEFAULT_ENABLED = false;
- public static final int DEFAULT_EXPIRE_TIME = 31536000; // approx. one year in seconds
+ public static final boolean DEFAULT_ENABLED = false;
+ public static final int DEFAULT_MAX_AGE = 31536000; // approx. one year in seconds
public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false;
+ public static final String HTTP_HEADER = "Strict-Transport-Security";
+
private boolean enabled;
private int maxAge;
private boolean includeSubDomains;
public HSTS() {
- this.maxAge = DEFAULT_EXPIRE_TIME;
+ this.maxAge = DEFAULT_MAX_AGE;
this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS;
}
@@ -151,6 +168,5 @@ public class SslFilter extends PortFilter {
public void setIncludeSubDomains(boolean includeSubDomains) {
this.includeSubDomains = includeSubDomains;
}
-
}
}
diff --git a/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
new file mode 100644
index 0000000..4136329
--- /dev/null
+++ b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.shiro.web.filter.authz;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.junit.Test;
+
+import static org.apache.shiro.web.filter.authz.SslFilter.HSTS.*;
+import static org.easymock.EasyMock.*;
+import static org.junit.Assert.*;
+
+public class SslFilterTest {
+
+ @Test
+ public void testDisabledByDefault() {
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+
+ SslFilter sslFilter = new SslFilter();
+
+ sslFilter.postHandle(request, response);
+ assertNull(response.getHeader(HTTP_HEADER));
+ }
+
+ @Test
+ public void testDefaultValues() {
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+
+// String expected = new StringBuilder()
+// .append(HTTP_HEADER)
+// .append(": ")
+// .append("max-age=")
+// .append(DEFAULT_MAX_AGE)
+// .toString();
+// expect(response.addHeader(expected, expected))
+// .andReturn(expected)
+// .anyTimes();
+ replay(response);
+//
+ SslFilter sslFilter = new SslFilter();
+ sslFilter.getHsts().setEnabled(true);
+
+ sslFilter.postHandle(request, response);
+
+ //assertEquals(expected, response.getHeader(HTTP_HEADER));
+ }
+
+}