1
|
|
|
package org.apereo.cas.configuration.model.core.web.security; |
2
|
|
|
|
3
|
|
|
import org.apereo.cas.configuration.support.RequiresModule; |
4
|
|
|
|
5
|
|
|
import java.io.Serializable; |
6
|
|
|
import java.nio.charset.StandardCharsets; |
7
|
|
|
import java.util.ArrayList; |
8
|
|
|
import java.util.List; |
9
|
|
|
|
10
|
|
|
/** |
11
|
|
|
* This is {@link HttpWebRequestProperties}. |
12
|
|
|
* |
13
|
|
|
* @author Misagh Moayyed |
14
|
|
|
* @since 5.0.0 |
15
|
|
|
*/ |
16
|
|
|
@RequiresModule(name = "cas-server-core-web", automated = true) |
17
|
|
|
public class HttpWebRequestProperties implements Serializable { |
18
|
|
|
|
19
|
|
|
private static final long serialVersionUID = -5175966163542099866L; |
20
|
|
|
/** |
21
|
|
|
* Whether CAS should accept multi-valued parameters |
22
|
|
|
* in incoming requests. Example block would to prevent |
23
|
|
|
* requests where more than one {@code service} parameter is specified. |
24
|
|
|
*/ |
25
|
|
|
private boolean allowMultiValueParameters; |
26
|
|
|
/** |
27
|
|
|
* Parameters that are only allowed and accepted during posts. |
28
|
|
|
*/ |
29
|
|
|
private String onlyPostParams = "username,password"; |
30
|
|
|
|
31
|
|
|
/** |
32
|
|
|
* Parameters to sanitize and cross-check in incoming requests. |
33
|
|
|
* The special value * instructs the Filter to check all parameters. |
34
|
|
|
*/ |
35
|
|
|
private String paramsToCheck = |
36
|
|
|
"ticket,service,renew,gateway,warn,method,target,SAMLart," |
37
|
|
|
+ "pgtUrl,pgt,pgtId,pgtIou,targetService,entityId,token"; |
38
|
|
|
|
39
|
|
|
/** |
40
|
|
|
* Control http request settings. |
41
|
|
|
*/ |
42
|
|
|
private Web web = new Web(); |
43
|
|
|
/** |
44
|
|
|
* Enforce request header options and security settings. |
45
|
|
|
*/ |
46
|
|
|
private Header header = new Header(); |
47
|
|
|
/** |
48
|
|
|
* Control CORS settings for requests. |
49
|
|
|
*/ |
50
|
|
|
private Cors cors = new Cors(); |
51
|
|
|
|
52
|
|
|
public boolean isAllowMultiValueParameters() { |
53
|
|
|
return allowMultiValueParameters; |
54
|
|
|
} |
55
|
|
|
|
56
|
|
|
public void setAllowMultiValueParameters(final boolean allowMultiValueParameters) { |
57
|
|
|
this.allowMultiValueParameters = allowMultiValueParameters; |
58
|
|
|
} |
59
|
|
|
|
60
|
|
|
public String getOnlyPostParams() { |
61
|
|
|
return onlyPostParams; |
62
|
|
|
} |
63
|
|
|
|
64
|
|
|
public void setOnlyPostParams(final String onlyPostParams) { |
65
|
|
|
this.onlyPostParams = onlyPostParams; |
66
|
|
|
} |
67
|
|
|
|
68
|
|
|
public String getParamsToCheck() { |
69
|
|
|
return paramsToCheck; |
70
|
|
|
} |
71
|
|
|
|
72
|
|
|
public void setParamsToCheck(final String paramsToCheck) { |
73
|
|
|
this.paramsToCheck = paramsToCheck; |
74
|
|
|
} |
75
|
|
|
|
76
|
|
|
public Cors getCors() { |
77
|
|
|
return cors; |
78
|
|
|
} |
79
|
|
|
|
80
|
|
|
public void setCors(final Cors cors) { |
81
|
|
|
this.cors = cors; |
82
|
|
|
} |
83
|
|
|
|
84
|
|
|
public Web getWeb() { |
85
|
|
|
return web; |
86
|
|
|
} |
87
|
|
|
|
88
|
|
|
public void setWeb(final Web web) { |
89
|
|
|
this.web = web; |
90
|
|
|
} |
91
|
|
|
|
92
|
|
|
public Header getHeader() { |
93
|
|
|
return header; |
94
|
|
|
} |
95
|
|
|
|
96
|
|
|
public void setHeader(final Header header) { |
97
|
|
|
this.header = header; |
98
|
|
|
} |
99
|
|
|
|
100
|
|
|
public static class Web implements Serializable { |
101
|
|
|
private static final long serialVersionUID = -4711604991237695091L; |
102
|
|
|
/** |
103
|
|
|
* Control and specify the encoding for all http requests. |
104
|
|
|
*/ |
105
|
|
|
private String encoding = StandardCharsets.UTF_8.name(); |
106
|
|
|
/** |
107
|
|
|
* Whether specified encoding should be forced for every request. |
108
|
|
|
* Whether the specified encoding is supposed to |
109
|
|
|
* override existing request and response encodings |
110
|
|
|
*/ |
111
|
|
|
private boolean forceEncoding = true; |
112
|
|
|
|
113
|
|
|
public String getEncoding() { |
114
|
|
|
return encoding; |
115
|
|
|
} |
116
|
|
|
|
117
|
|
|
public void setEncoding(final String encoding) { |
118
|
|
|
this.encoding = encoding; |
119
|
|
|
} |
120
|
|
|
|
121
|
|
|
public boolean isForceEncoding() { |
122
|
|
|
return forceEncoding; |
123
|
|
|
} |
124
|
|
|
|
125
|
|
|
public void setForceEncoding(final boolean forceEncoding) { |
126
|
|
|
this.forceEncoding = forceEncoding; |
127
|
|
|
} |
128
|
|
|
} |
129
|
|
|
|
130
|
|
|
public static class Cors implements Serializable { |
131
|
|
|
private static final long serialVersionUID = 5938828345939769185L; |
132
|
|
|
/** |
133
|
|
|
* Whether CORS should be enabled for http requests. |
134
|
|
|
*/ |
135
|
|
|
private boolean enabled; |
136
|
|
|
|
137
|
|
|
/** |
138
|
|
|
* The Access-Control-Allow-Credentials header Indicates |
139
|
|
|
* whether or not the response to the request can be exposed |
140
|
|
|
* when the credentials flag is true. When used as part of a |
141
|
|
|
* response to a preflight request, this indicates whether |
142
|
|
|
* or not the actual request can be made using credentials. |
143
|
|
|
* Note that simple GET requests are not preflighted, and so |
144
|
|
|
* if a request is made for a resource with credentials, if this |
145
|
|
|
* header is not returned with the resource, the response is ignored |
146
|
|
|
* by the browser and not returned to web content. |
147
|
|
|
*/ |
148
|
|
|
private boolean allowCredentials = true; |
149
|
|
|
/** |
150
|
|
|
* The Origin header indicates the origin of the cross-site access request or preflight request. |
151
|
|
|
* The origin is a URI indicating the server from which the request initiated. |
152
|
|
|
* It does not include any path information, but only the server name. |
153
|
|
|
*/ |
154
|
|
|
private List<String> allowOrigins = new ArrayList<>(); |
155
|
|
|
/** |
156
|
|
|
* The Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. |
157
|
|
|
* This is used in response to a preflight request. |
158
|
|
|
* The conditions under which a request is preflighted are discussed above. |
159
|
|
|
* Default is everything. |
160
|
|
|
*/ |
161
|
|
|
private List<String> allowMethods = new ArrayList<>(); |
162
|
|
|
/** |
163
|
|
|
* The Access-Control-Allow-Headers header is used in response to a preflight |
164
|
|
|
* request to indicate which HTTP headers can be used when making the actual request. |
165
|
|
|
* Default is everything. |
166
|
|
|
*/ |
167
|
|
|
private List<String> allowHeaders = new ArrayList<>(); |
168
|
|
|
/** |
169
|
|
|
* The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. |
170
|
|
|
*/ |
171
|
|
|
private long maxAge = 3_600; |
172
|
|
|
/** |
173
|
|
|
* The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. |
174
|
|
|
*/ |
175
|
|
|
private List<String> exposedHeaders = new ArrayList<>(); |
176
|
|
|
|
177
|
|
|
public Cors() { |
178
|
|
|
this.allowMethods.add("*"); |
179
|
|
|
this.allowHeaders.add("*"); |
180
|
|
|
} |
181
|
|
|
|
182
|
|
|
public boolean isEnabled() { |
183
|
|
|
return enabled; |
184
|
|
|
} |
185
|
|
|
|
186
|
|
|
public void setEnabled(final boolean enabled) { |
187
|
|
|
this.enabled = enabled; |
188
|
|
|
} |
189
|
|
|
|
190
|
|
|
public boolean isAllowCredentials() { |
191
|
|
|
return allowCredentials; |
192
|
|
|
} |
193
|
|
|
|
194
|
|
|
public void setAllowCredentials(final boolean allowCredentials) { |
195
|
|
|
this.allowCredentials = allowCredentials; |
196
|
|
|
} |
197
|
|
|
|
198
|
|
|
public List<String> getAllowOrigins() { |
199
|
|
|
return allowOrigins; |
200
|
|
|
} |
201
|
|
|
|
202
|
|
|
public void setAllowOrigins(final List<String> allowOrigins) { |
203
|
|
|
this.allowOrigins = allowOrigins; |
204
|
|
|
} |
205
|
|
|
|
206
|
|
|
public List<String> getAllowMethods() { |
207
|
|
|
return allowMethods; |
208
|
|
|
} |
209
|
|
|
|
210
|
|
|
public void setAllowMethods(final List<String> allowMethods) { |
211
|
|
|
this.allowMethods = allowMethods; |
212
|
|
|
} |
213
|
|
|
|
214
|
|
|
public List<String> getAllowHeaders() { |
215
|
|
|
return allowHeaders; |
216
|
|
|
} |
217
|
|
|
|
218
|
|
|
public void setAllowHeaders(final List<String> allowHeaders) { |
219
|
|
|
this.allowHeaders = allowHeaders; |
220
|
|
|
} |
221
|
|
|
|
222
|
|
|
public long getMaxAge() { |
223
|
|
|
return maxAge; |
224
|
|
|
} |
225
|
|
|
|
226
|
|
|
public void setMaxAge(final long maxAge) { |
227
|
|
|
this.maxAge = maxAge; |
228
|
|
|
} |
229
|
|
|
|
230
|
|
|
public List<String> getExposedHeaders() { |
231
|
|
|
return exposedHeaders; |
232
|
|
|
} |
233
|
|
|
|
234
|
|
|
public void setExposedHeaders(final List<String> exposedHeaders) { |
235
|
|
|
this.exposedHeaders = exposedHeaders; |
236
|
|
|
} |
237
|
|
|
} |
238
|
|
|
|
239
|
|
|
public static class Header implements Serializable { |
240
|
|
|
private static final long serialVersionUID = 5993704062519851359L; |
241
|
|
|
/** |
242
|
|
|
* When true, will inject the following headers into the response for non-static resources. |
243
|
|
|
* <pre> |
244
|
|
|
* Cache-Control: no-cache, no-store, max-age=0, must-revalidate |
245
|
|
|
* Pragma: no-cache |
246
|
|
|
* Expires: 0 |
247
|
|
|
* </pre> |
248
|
|
|
*/ |
249
|
|
|
private boolean cache = true; |
250
|
|
|
/** |
251
|
|
|
* When true, will inject the following headers into the response: |
252
|
|
|
* {@code Strict-Transport-Security: max-age=15768000 ; includeSubDomains}. |
253
|
|
|
*/ |
254
|
|
|
private boolean hsts = true; |
255
|
|
|
/** |
256
|
|
|
* When true, will inject the following headers into the response: {@code X-Frame-Options: DENY}. |
257
|
|
|
*/ |
258
|
|
|
private boolean xframe = true; |
259
|
|
|
/** |
260
|
|
|
* When true, will inject the following headers into the response: {@code X-Content-Type-Options: nosniff}. |
261
|
|
|
*/ |
262
|
|
|
private boolean xcontent = true; |
263
|
|
|
/** |
264
|
|
|
* When true, will inject the following headers into the response: {@code X-XSS-Protection: 1; mode=block}. |
265
|
|
|
*/ |
266
|
|
|
private boolean xss = true; |
267
|
|
|
|
268
|
|
|
/** |
269
|
|
|
* Helps you reduce XSS risks on modern browsers by declaring what dynamic |
270
|
|
|
* resources are allowed to load via a HTTP Header. |
271
|
|
|
* Header value is made up of one or more directives. |
272
|
|
|
* Multiple directives are separated with a semicolon. |
273
|
|
|
*/ |
274
|
|
|
private String contentSecurityPolicy; |
275
|
|
|
|
276
|
|
|
public boolean isCache() { |
277
|
|
|
return cache; |
278
|
|
|
} |
279
|
|
|
|
280
|
|
|
public void setCache(final boolean cache) { |
281
|
|
|
this.cache = cache; |
282
|
|
|
} |
283
|
|
|
|
284
|
|
|
public boolean isHsts() { |
285
|
|
|
return hsts; |
286
|
|
|
} |
287
|
|
|
|
288
|
|
|
public void setHsts(final boolean hsts) { |
289
|
|
|
this.hsts = hsts; |
290
|
|
|
} |
291
|
|
|
|
292
|
|
|
public boolean isXframe() { |
293
|
|
|
return xframe; |
294
|
|
|
} |
295
|
|
|
|
296
|
|
|
public void setXframe(final boolean xframe) { |
297
|
|
|
this.xframe = xframe; |
298
|
|
|
} |
299
|
|
|
|
300
|
|
|
public boolean isXcontent() { |
301
|
|
|
return xcontent; |
302
|
|
|
} |
303
|
|
|
|
304
|
|
|
public void setXcontent(final boolean xcontent) { |
305
|
|
|
this.xcontent = xcontent; |
306
|
|
|
} |
307
|
|
|
|
308
|
|
|
public boolean isXss() { |
309
|
|
|
return xss; |
310
|
|
|
} |
311
|
|
|
|
312
|
|
|
public void setXss(final boolean xss) { |
313
|
|
|
this.xss = xss; |
314
|
|
|
} |
315
|
|
|
|
316
|
|
|
public String getContentSecurityPolicy() { |
317
|
|
|
return contentSecurityPolicy; |
318
|
|
|
} |
319
|
|
|
|
320
|
|
|
public void setContentSecurityPolicy(final String contentSecurityPolicy) { |
321
|
|
|
this.contentSecurityPolicy = contentSecurityPolicy; |
322
|
|
|
} |
323
|
|
|
} |
324
|
|
|
|
325
|
|
|
} |
326
|
|
|
|