|
1
|
|
|
package org.apereo.cas.configuration.model.core.web.security; |
|
2
|
|
|
|
|
3
|
|
|
import org.apereo.cas.configuration.support.RequiresModule; |
|
4
|
|
|
|
|
5
|
|
|
import java.io.Serializable; |
|
6
|
|
|
import java.nio.charset.StandardCharsets; |
|
7
|
|
|
import java.util.ArrayList; |
|
8
|
|
|
import java.util.List; |
|
9
|
|
|
|
|
10
|
|
|
/** |
|
11
|
|
|
* This is {@link HttpWebRequestProperties}. |
|
12
|
|
|
* |
|
13
|
|
|
* @author Misagh Moayyed |
|
14
|
|
|
* @since 5.0.0 |
|
15
|
|
|
*/ |
|
16
|
|
|
@RequiresModule(name = "cas-server-core-web", automated = true) |
|
17
|
|
|
public class HttpWebRequestProperties implements Serializable { |
|
18
|
|
|
|
|
19
|
|
|
private static final long serialVersionUID = -5175966163542099866L; |
|
20
|
|
|
/** |
|
21
|
|
|
* Whether CAS should accept multi-valued parameters |
|
22
|
|
|
* in incoming requests. Example block would to prevent |
|
23
|
|
|
* requests where more than one {@code service} parameter is specified. |
|
24
|
|
|
*/ |
|
25
|
|
|
private boolean allowMultiValueParameters; |
|
26
|
|
|
/** |
|
27
|
|
|
* Parameters that are only allowed and accepted during posts. |
|
28
|
|
|
*/ |
|
29
|
|
|
private String onlyPostParams = "username,password"; |
|
30
|
|
|
|
|
31
|
|
|
/** |
|
32
|
|
|
* Parameters to sanitize and cross-check in incoming requests. |
|
33
|
|
|
* The special value * instructs the Filter to check all parameters. |
|
34
|
|
|
*/ |
|
35
|
|
|
private String paramsToCheck = |
|
36
|
|
|
"ticket,service,renew,gateway,warn,method,target,SAMLart," |
|
37
|
|
|
+ "pgtUrl,pgt,pgtId,pgtIou,targetService,entityId,token"; |
|
38
|
|
|
|
|
39
|
|
|
/** |
|
40
|
|
|
* Control http request settings. |
|
41
|
|
|
*/ |
|
42
|
|
|
private Web web = new Web(); |
|
43
|
|
|
/** |
|
44
|
|
|
* Enforce request header options and security settings. |
|
45
|
|
|
*/ |
|
46
|
|
|
private Header header = new Header(); |
|
47
|
|
|
/** |
|
48
|
|
|
* Control CORS settings for requests. |
|
49
|
|
|
*/ |
|
50
|
|
|
private Cors cors = new Cors(); |
|
51
|
|
|
|
|
52
|
|
|
public boolean isAllowMultiValueParameters() { |
|
53
|
|
|
return allowMultiValueParameters; |
|
54
|
|
|
} |
|
55
|
|
|
|
|
56
|
|
|
public void setAllowMultiValueParameters(final boolean allowMultiValueParameters) { |
|
57
|
|
|
this.allowMultiValueParameters = allowMultiValueParameters; |
|
58
|
|
|
} |
|
59
|
|
|
|
|
60
|
|
|
public String getOnlyPostParams() { |
|
61
|
|
|
return onlyPostParams; |
|
62
|
|
|
} |
|
63
|
|
|
|
|
64
|
|
|
public void setOnlyPostParams(final String onlyPostParams) { |
|
65
|
|
|
this.onlyPostParams = onlyPostParams; |
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
|
|
public String getParamsToCheck() { |
|
69
|
|
|
return paramsToCheck; |
|
70
|
|
|
} |
|
71
|
|
|
|
|
72
|
|
|
public void setParamsToCheck(final String paramsToCheck) { |
|
73
|
|
|
this.paramsToCheck = paramsToCheck; |
|
74
|
|
|
} |
|
75
|
|
|
|
|
76
|
|
|
public Cors getCors() { |
|
77
|
|
|
return cors; |
|
78
|
|
|
} |
|
79
|
|
|
|
|
80
|
|
|
public void setCors(final Cors cors) { |
|
81
|
|
|
this.cors = cors; |
|
82
|
|
|
} |
|
83
|
|
|
|
|
84
|
|
|
public Web getWeb() { |
|
85
|
|
|
return web; |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
public void setWeb(final Web web) { |
|
89
|
|
|
this.web = web; |
|
90
|
|
|
} |
|
91
|
|
|
|
|
92
|
|
|
public Header getHeader() { |
|
93
|
|
|
return header; |
|
94
|
|
|
} |
|
95
|
|
|
|
|
96
|
|
|
public void setHeader(final Header header) { |
|
97
|
|
|
this.header = header; |
|
98
|
|
|
} |
|
99
|
|
|
|
|
100
|
|
|
public static class Web implements Serializable { |
|
101
|
|
|
private static final long serialVersionUID = -4711604991237695091L; |
|
102
|
|
|
/** |
|
103
|
|
|
* Control and specify the encoding for all http requests. |
|
104
|
|
|
*/ |
|
105
|
|
|
private String encoding = StandardCharsets.UTF_8.name(); |
|
106
|
|
|
/** |
|
107
|
|
|
* Whether specified encoding should be forced for every request. |
|
108
|
|
|
* Whether the specified encoding is supposed to |
|
109
|
|
|
* override existing request and response encodings |
|
110
|
|
|
*/ |
|
111
|
|
|
private boolean forceEncoding = true; |
|
112
|
|
|
|
|
113
|
|
|
public String getEncoding() { |
|
114
|
|
|
return encoding; |
|
115
|
|
|
} |
|
116
|
|
|
|
|
117
|
|
|
public void setEncoding(final String encoding) { |
|
118
|
|
|
this.encoding = encoding; |
|
119
|
|
|
} |
|
120
|
|
|
|
|
121
|
|
|
public boolean isForceEncoding() { |
|
122
|
|
|
return forceEncoding; |
|
123
|
|
|
} |
|
124
|
|
|
|
|
125
|
|
|
public void setForceEncoding(final boolean forceEncoding) { |
|
126
|
|
|
this.forceEncoding = forceEncoding; |
|
127
|
|
|
} |
|
128
|
|
|
} |
|
129
|
|
|
|
|
130
|
|
|
public static class Cors implements Serializable { |
|
131
|
|
|
private static final long serialVersionUID = 5938828345939769185L; |
|
132
|
|
|
/** |
|
133
|
|
|
* Whether CORS should be enabled for http requests. |
|
134
|
|
|
*/ |
|
135
|
|
|
private boolean enabled; |
|
136
|
|
|
|
|
137
|
|
|
/** |
|
138
|
|
|
* The Access-Control-Allow-Credentials header Indicates |
|
139
|
|
|
* whether or not the response to the request can be exposed |
|
140
|
|
|
* when the credentials flag is true. When used as part of a |
|
141
|
|
|
* response to a preflight request, this indicates whether |
|
142
|
|
|
* or not the actual request can be made using credentials. |
|
143
|
|
|
* Note that simple GET requests are not preflighted, and so |
|
144
|
|
|
* if a request is made for a resource with credentials, if this |
|
145
|
|
|
* header is not returned with the resource, the response is ignored |
|
146
|
|
|
* by the browser and not returned to web content. |
|
147
|
|
|
*/ |
|
148
|
|
|
private boolean allowCredentials = true; |
|
149
|
|
|
/** |
|
150
|
|
|
* The Origin header indicates the origin of the cross-site access request or preflight request. |
|
151
|
|
|
* The origin is a URI indicating the server from which the request initiated. |
|
152
|
|
|
* It does not include any path information, but only the server name. |
|
153
|
|
|
*/ |
|
154
|
|
|
private List<String> allowOrigins = new ArrayList<>(); |
|
155
|
|
|
/** |
|
156
|
|
|
* The Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. |
|
157
|
|
|
* This is used in response to a preflight request. |
|
158
|
|
|
* The conditions under which a request is preflighted are discussed above. |
|
159
|
|
|
* Default is everything. |
|
160
|
|
|
*/ |
|
161
|
|
|
private List<String> allowMethods = new ArrayList<>(); |
|
162
|
|
|
/** |
|
163
|
|
|
* The Access-Control-Allow-Headers header is used in response to a preflight |
|
164
|
|
|
* request to indicate which HTTP headers can be used when making the actual request. |
|
165
|
|
|
* Default is everything. |
|
166
|
|
|
*/ |
|
167
|
|
|
private List<String> allowHeaders = new ArrayList<>(); |
|
168
|
|
|
/** |
|
169
|
|
|
* The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached. |
|
170
|
|
|
*/ |
|
171
|
|
|
private long maxAge = 3_600; |
|
172
|
|
|
/** |
|
173
|
|
|
* The Access-Control-Expose-Headers header lets a server whitelist headers that browsers are allowed to access. |
|
174
|
|
|
*/ |
|
175
|
|
|
private List<String> exposedHeaders = new ArrayList<>(); |
|
176
|
|
|
|
|
177
|
|
|
public Cors() { |
|
178
|
|
|
this.allowMethods.add("*"); |
|
179
|
|
|
this.allowHeaders.add("*"); |
|
180
|
|
|
} |
|
181
|
|
|
|
|
182
|
|
|
public boolean isEnabled() { |
|
183
|
|
|
return enabled; |
|
184
|
|
|
} |
|
185
|
|
|
|
|
186
|
|
|
public void setEnabled(final boolean enabled) { |
|
187
|
|
|
this.enabled = enabled; |
|
188
|
|
|
} |
|
189
|
|
|
|
|
190
|
|
|
public boolean isAllowCredentials() { |
|
191
|
|
|
return allowCredentials; |
|
192
|
|
|
} |
|
193
|
|
|
|
|
194
|
|
|
public void setAllowCredentials(final boolean allowCredentials) { |
|
195
|
|
|
this.allowCredentials = allowCredentials; |
|
196
|
|
|
} |
|
197
|
|
|
|
|
198
|
|
|
public List<String> getAllowOrigins() { |
|
199
|
|
|
return allowOrigins; |
|
200
|
|
|
} |
|
201
|
|
|
|
|
202
|
|
|
public void setAllowOrigins(final List<String> allowOrigins) { |
|
203
|
|
|
this.allowOrigins = allowOrigins; |
|
204
|
|
|
} |
|
205
|
|
|
|
|
206
|
|
|
public List<String> getAllowMethods() { |
|
207
|
|
|
return allowMethods; |
|
208
|
|
|
} |
|
209
|
|
|
|
|
210
|
|
|
public void setAllowMethods(final List<String> allowMethods) { |
|
211
|
|
|
this.allowMethods = allowMethods; |
|
212
|
|
|
} |
|
213
|
|
|
|
|
214
|
|
|
public List<String> getAllowHeaders() { |
|
215
|
|
|
return allowHeaders; |
|
216
|
|
|
} |
|
217
|
|
|
|
|
218
|
|
|
public void setAllowHeaders(final List<String> allowHeaders) { |
|
219
|
|
|
this.allowHeaders = allowHeaders; |
|
220
|
|
|
} |
|
221
|
|
|
|
|
222
|
|
|
public long getMaxAge() { |
|
223
|
|
|
return maxAge; |
|
224
|
|
|
} |
|
225
|
|
|
|
|
226
|
|
|
public void setMaxAge(final long maxAge) { |
|
227
|
|
|
this.maxAge = maxAge; |
|
228
|
|
|
} |
|
229
|
|
|
|
|
230
|
|
|
public List<String> getExposedHeaders() { |
|
231
|
|
|
return exposedHeaders; |
|
232
|
|
|
} |
|
233
|
|
|
|
|
234
|
|
|
public void setExposedHeaders(final List<String> exposedHeaders) { |
|
235
|
|
|
this.exposedHeaders = exposedHeaders; |
|
236
|
|
|
} |
|
237
|
|
|
} |
|
238
|
|
|
|
|
239
|
|
|
public static class Header implements Serializable { |
|
240
|
|
|
private static final long serialVersionUID = 5993704062519851359L; |
|
241
|
|
|
/** |
|
242
|
|
|
* When true, will inject the following headers into the response for non-static resources. |
|
243
|
|
|
* <pre> |
|
244
|
|
|
* Cache-Control: no-cache, no-store, max-age=0, must-revalidate |
|
245
|
|
|
* Pragma: no-cache |
|
246
|
|
|
* Expires: 0 |
|
247
|
|
|
* </pre> |
|
248
|
|
|
*/ |
|
249
|
|
|
private boolean cache = true; |
|
250
|
|
|
/** |
|
251
|
|
|
* When true, will inject the following headers into the response: |
|
252
|
|
|
* {@code Strict-Transport-Security: max-age=15768000 ; includeSubDomains}. |
|
253
|
|
|
*/ |
|
254
|
|
|
private boolean hsts = true; |
|
255
|
|
|
/** |
|
256
|
|
|
* When true, will inject the following headers into the response: {@code X-Frame-Options: DENY}. |
|
257
|
|
|
*/ |
|
258
|
|
|
private boolean xframe = true; |
|
259
|
|
|
/** |
|
260
|
|
|
* When true, will inject the following headers into the response: {@code X-Content-Type-Options: nosniff}. |
|
261
|
|
|
*/ |
|
262
|
|
|
private boolean xcontent = true; |
|
263
|
|
|
/** |
|
264
|
|
|
* When true, will inject the following headers into the response: {@code X-XSS-Protection: 1; mode=block}. |
|
265
|
|
|
*/ |
|
266
|
|
|
private boolean xss = true; |
|
267
|
|
|
|
|
268
|
|
|
/** |
|
269
|
|
|
* Helps you reduce XSS risks on modern browsers by declaring what dynamic |
|
270
|
|
|
* resources are allowed to load via a HTTP Header. |
|
271
|
|
|
* Header value is made up of one or more directives. |
|
272
|
|
|
* Multiple directives are separated with a semicolon. |
|
273
|
|
|
*/ |
|
274
|
|
|
private String contentSecurityPolicy; |
|
275
|
|
|
|
|
276
|
|
|
public boolean isCache() { |
|
277
|
|
|
return cache; |
|
278
|
|
|
} |
|
279
|
|
|
|
|
280
|
|
|
public void setCache(final boolean cache) { |
|
281
|
|
|
this.cache = cache; |
|
282
|
|
|
} |
|
283
|
|
|
|
|
284
|
|
|
public boolean isHsts() { |
|
285
|
|
|
return hsts; |
|
286
|
|
|
} |
|
287
|
|
|
|
|
288
|
|
|
public void setHsts(final boolean hsts) { |
|
289
|
|
|
this.hsts = hsts; |
|
290
|
|
|
} |
|
291
|
|
|
|
|
292
|
|
|
public boolean isXframe() { |
|
293
|
|
|
return xframe; |
|
294
|
|
|
} |
|
295
|
|
|
|
|
296
|
|
|
public void setXframe(final boolean xframe) { |
|
297
|
|
|
this.xframe = xframe; |
|
298
|
|
|
} |
|
299
|
|
|
|
|
300
|
|
|
public boolean isXcontent() { |
|
301
|
|
|
return xcontent; |
|
302
|
|
|
} |
|
303
|
|
|
|
|
304
|
|
|
public void setXcontent(final boolean xcontent) { |
|
305
|
|
|
this.xcontent = xcontent; |
|
306
|
|
|
} |
|
307
|
|
|
|
|
308
|
|
|
public boolean isXss() { |
|
309
|
|
|
return xss; |
|
310
|
|
|
} |
|
311
|
|
|
|
|
312
|
|
|
public void setXss(final boolean xss) { |
|
313
|
|
|
this.xss = xss; |
|
314
|
|
|
} |
|
315
|
|
|
|
|
316
|
|
|
public String getContentSecurityPolicy() { |
|
317
|
|
|
return contentSecurityPolicy; |
|
318
|
|
|
} |
|
319
|
|
|
|
|
320
|
|
|
public void setContentSecurityPolicy(final String contentSecurityPolicy) { |
|
321
|
|
|
this.contentSecurityPolicy = contentSecurityPolicy; |
|
322
|
|
|
} |
|
323
|
|
|
} |
|
324
|
|
|
|
|
325
|
|
|
} |
|
326
|
|
|
|
apereo /
cas
