Class HttpHeaderSecurityFilter

  • All Implemented Interfaces:
    Filter

    public class HttpHeaderSecurityFilter
    extends FilterBase
    Provides a single configuration point for security measures that required the addition of one or more HTTP headers to the response.
    • Field Summary

      • Fields inherited from class org.apache.catalina.filters.FilterBase

        sm
    • Constructor Summary

      Constructors 
      Constructor Description
      HttpHeaderSecurityFilter()
      Creates a new instance of the filter.
    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      void doFilter​(ServletRequest request, ServletResponse response, FilterChain chain)
      The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
      java.lang.String getAntiClickJackingOption()
      Returns the X-Frame-Options value.
      java.lang.String getAntiClickJackingUri()
      Returns the URI used with the ALLOW_FROM X-Frame-Options directive.
      int getHstsMaxAgeSeconds()
      Returns the maximum age in seconds for the HSTS header.
      protected Log getLogger()
      Returns the logger for this filter.
      void init​(FilterConfig filterConfig)
      Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
      boolean isAntiClickJackingEnabled()
      Returns whether anti-click-jacking protection is enabled.
      boolean isBlockContentTypeSniffingEnabled()
      Returns whether content type sniffing protection is enabled.
      protected boolean isConfigProblemFatal()
      Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of this filter which in turn will prevent the web application from starting.
      boolean isHstsEnabled()
      Returns whether HSTS is enabled.
      boolean isHstsIncludeSubDomains()
      Returns whether subdomains are included in the HSTS header.
      boolean isHstsPreload()
      Returns whether the preload directive is included in the HSTS header.
      boolean isXssProtectionEnabled()
      Deprecated.
      void setAntiClickJackingEnabled​(boolean antiClickJackingEnabled)
      Enables or disables anti-click-jacking protection.
      void setAntiClickJackingOption​(java.lang.String antiClickJackingOption)
      Sets the X-Frame-Options value for click-jacking protection.
      void setAntiClickJackingUri​(java.lang.String antiClickJackingUri)
      Sets the URI used with the ALLOW_FROM X-Frame-Options directive.
      void setBlockContentTypeSniffingEnabled​(boolean blockContentTypeSniffingEnabled)
      Enables or disables content type sniffing protection.
      void setHstsEnabled​(boolean hstsEnabled)
      Enables or disables HSTS.
      void setHstsIncludeSubDomains​(boolean hstsIncludeSubDomains)
      Sets whether subdomains should be included in the HSTS header.
      void setHstsMaxAgeSeconds​(int hstsMaxAgeSeconds)
      Sets the maximum age in seconds for the HSTS header.
      void setHstsPreload​(boolean hstsPreload)
      Sets whether the preload directive should be included in the HSTS header.
      void setXssProtectionEnabled​(boolean xssProtectionEnabled)
      Deprecated.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • HttpHeaderSecurityFilter

        public HttpHeaderSecurityFilter()
        Creates a new instance of the filter.
    • Method Detail

      • init

        public void init​(FilterConfig filterConfig)
                  throws ServletException
        Description copied from class: FilterBase
        Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
        Specified by:
        init in interface Filter
        Overrides:
        init in class FilterBase
        Parameters:
        filterConfig - The configuration information associated with the filter instance being initialised
        Throws:
        ServletException - if FilterBase.isConfigProblemFatal() returns true and a configured parameter does not have a matching setter
      • doFilter

        public void doFilter​(ServletRequest request,
                             ServletResponse response,
                             FilterChain chain)
                      throws java.io.IOException,
                             ServletException
        Description copied from interface: jakarta.servlet.Filter
        The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

        A typical implementation of this method would follow the following pattern:-
        1. Examine the request
        2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
        3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
        4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
        4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
        5. Directly set headers on the response after invocation of the next entity in the filter chain.

        Parameters:
        request - The request to process
        response - The response associated with the request
        chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
        Throws:
        java.io.IOException - if an I/O error occurs during this filter's processing of the request
        ServletException - if the processing fails for any other reason
      • getLogger

        protected Log getLogger()
        Description copied from class: FilterBase
        Returns the logger for this filter.
        Specified by:
        getLogger in class FilterBase
        Returns:
        the logger
      • isConfigProblemFatal

        protected boolean isConfigProblemFatal()
        Description copied from class: FilterBase
        Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of this filter which in turn will prevent the web application from starting.
        Overrides:
        isConfigProblemFatal in class FilterBase
        Returns:
        true if a problem should trigger the failure of this filter, else false
      • isHstsEnabled

        public boolean isHstsEnabled()
        Returns whether HSTS is enabled.
        Returns:
        true if HSTS is enabled
      • setHstsEnabled

        public void setHstsEnabled​(boolean hstsEnabled)
        Enables or disables HSTS.
        Parameters:
        hstsEnabled - true to enable HSTS
      • getHstsMaxAgeSeconds

        public int getHstsMaxAgeSeconds()
        Returns the maximum age in seconds for the HSTS header.
        Returns:
        the maximum age in seconds
      • setHstsMaxAgeSeconds

        public void setHstsMaxAgeSeconds​(int hstsMaxAgeSeconds)
        Sets the maximum age in seconds for the HSTS header.
        Parameters:
        hstsMaxAgeSeconds - the maximum age in seconds
      • isHstsIncludeSubDomains

        public boolean isHstsIncludeSubDomains()
        Returns whether subdomains are included in the HSTS header.
        Returns:
        true if subdomains are included
      • setHstsIncludeSubDomains

        public void setHstsIncludeSubDomains​(boolean hstsIncludeSubDomains)
        Sets whether subdomains should be included in the HSTS header.
        Parameters:
        hstsIncludeSubDomains - true to include subdomains
      • isHstsPreload

        public boolean isHstsPreload()
        Returns whether the preload directive is included in the HSTS header.
        Returns:
        true if preload is enabled
      • setHstsPreload

        public void setHstsPreload​(boolean hstsPreload)
        Sets whether the preload directive should be included in the HSTS header.
        Parameters:
        hstsPreload - true to include preload
      • isAntiClickJackingEnabled

        public boolean isAntiClickJackingEnabled()
        Returns whether anti-click-jacking protection is enabled.
        Returns:
        true if anti-click-jacking is enabled
      • setAntiClickJackingEnabled

        public void setAntiClickJackingEnabled​(boolean antiClickJackingEnabled)
        Enables or disables anti-click-jacking protection.
        Parameters:
        antiClickJackingEnabled - true to enable anti-click-jacking
      • getAntiClickJackingOption

        public java.lang.String getAntiClickJackingOption()
        Returns the X-Frame-Options value.
        Returns:
        the X-Frame-Options value
      • setAntiClickJackingOption

        public void setAntiClickJackingOption​(java.lang.String antiClickJackingOption)
        Sets the X-Frame-Options value for click-jacking protection.
        Parameters:
        antiClickJackingOption - the X-Frame-Options value (DENY, SAMEORIGIN, or ALLOW-FROM)
      • getAntiClickJackingUri

        public java.lang.String getAntiClickJackingUri()
        Returns the URI used with the ALLOW_FROM X-Frame-Options directive.
        Returns:
        the ALLOW_FROM URI
      • isBlockContentTypeSniffingEnabled

        public boolean isBlockContentTypeSniffingEnabled()
        Returns whether content type sniffing protection is enabled.
        Returns:
        true if content type sniffing protection is enabled
      • setBlockContentTypeSniffingEnabled

        public void setBlockContentTypeSniffingEnabled​(boolean blockContentTypeSniffingEnabled)
        Enables or disables content type sniffing protection.
        Parameters:
        blockContentTypeSniffingEnabled - true to enable protection
      • setAntiClickJackingUri

        public void setAntiClickJackingUri​(java.lang.String antiClickJackingUri)
        Sets the URI used with the ALLOW_FROM X-Frame-Options directive.
        Parameters:
        antiClickJackingUri - the URI for ALLOW_FROM
      • isXssProtectionEnabled

        @Deprecated
        public boolean isXssProtectionEnabled()
        Deprecated.
      • setXssProtectionEnabled

        @Deprecated
        public void setXssProtectionEnabled​(boolean xssProtectionEnabled)
        Deprecated.