Fincer
/
java-bookstore
mirror of https://github.com/Fincer/java-bookstore
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Browse Source

Add SameSite cookie and Content Security Policy header 

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.4-alpha
Pekka Helenius 4 years ago
parent
84acd3f455
commit
a9102319b8
2 changed files with 45 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -0
      bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
  2. +39
    -0
      bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java

+ 6
- 0
bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java View File

@ -17,7 +17,9 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import com.fjordtek.bookstore.service.session.BookSameSiteCookieFilter;
import com.fjordtek.bookstore.service.session.BookStoreAccessDeniedHandler; import com.fjordtek.bookstore.service.session.BookStoreAccessDeniedHandler;
import com.fjordtek.bookstore.service.session.BookStoreAuthenticationFailureHandler; import com.fjordtek.bookstore.service.session.BookStoreAuthenticationFailureHandler;
import com.fjordtek.bookstore.service.session.BookStoreAuthenticationSuccessHandler; import com.fjordtek.bookstore.service.session.BookStoreAuthenticationSuccessHandler;
@ -119,6 +121,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
* public access to it is denied by default. * public access to it is denied by default.
*/ */
httpSecurity httpSecurity
.addFilterAfter(new BookSameSiteCookieFilter(), BasicAuthenticationFilter.class)
.authorizeRequests() .authorizeRequests()
.antMatchers( .antMatchers(
env.getProperty("spring.h2.console.path") + "/**", env.getProperty("spring.h2.console.path") + "/**",
@ -163,6 +166,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
.and() .and()
.headers() .headers()
.frameOptions().sameOrigin() .frameOptions().sameOrigin()
// .contentTypeOptions().disable()
.contentSecurityPolicy("frame-ancestors 'self'")
; ;
} }


+ 39
- 0
bookstore/src/main/java/com/fjordtek/bookstore/service/session/BookSameSiteCookieFilter.java View File

@ -0,0 +1,39 @@
//Pekka Helenius <fincer89@hotmail.com>, Fjordtek 2020
package com.fjordtek.bookstore.service.session;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.GenericFilterBean;
/**
*
* @see https://owasp.org/www-community/SameSite
* @see https://docs.microsoft.com/en-us/previous-versions//ms533046%28v=vs.85%29?redirectedfrom=MSDN#protecting-data-with-http-only-cookies
*
* @author Pekka Helenius
*/
public class BookSameSiteCookieFilter extends GenericFilterBean {
@Override
public void doFilter(
ServletRequest requestData,
ServletResponse responseData,
FilterChain chain)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) responseData;
httpResponse.setHeader("Set-Cookie", "HttpOnly; SameSite=strict;");
chain.doFilter(requestData, responseData);
}
}

Write Preview
Loading…
Cancel
Save