com.jalios.jcms.security

Class ContentSecurityPolicyManager

java.lang.Object

com.jalios.jcms.security.ContentSecurityPolicyManager

All Implemented Interfaces:

JcmsConstants, JaliosConstants, JPropertiesListener

public class ContentSecurityPolicyManager
extends java.lang.Object
implements JcmsConstants, JPropertiesListener

Content Security Policy implementation in JCMS.

The following properties can be defined to configure this implementation :

 # Is CSP enabled for this site ?
 # default is false
 channel.security.csp.enabled: true
 
 
 # space or coma separated list of jsp (servlet path) excluded from CSP processing
 # use with care, you should not have to exclude anything !!!
 # default is empty
 channel.security.csp.excluded-path:
 
 
 # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification.
 # Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support.
 # default is "Content-Security-Policy"
 channel.security.csp.csp-header-names: Content-Security-Policy
 
 # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification.
 # Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support.
 # default is "Content-Security-Policy-Report-Only"
 channel.security.csp.csp-report-only-header-names: Content-Security-Policy-Report-Only
 
 
 # Java Format string used to output the "Content-Security-Policy" HTTP Header(s) value
 # %1s can be used to output a nonce generated for each request  
 # default is empty as a fine tuning is required for each site
 channel.security.csp.csp-header: 
 
 # Java Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header(s) value
 # %1s can be used to output a nonce generated for each request  
 # default is empty as a fine tuning is required for each site
 channel.security.csp.csp-report-only-header: default-src 'self'; script-src 'self' 'nonce-%1s'; report-uri http://cspbuilder.info/report/124567890123456789/;
 

Since:

jcms-9.0

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CSP_INITIALIZED_REQUEST_ATTRIBUTE Request name attribute indicating CSP was initialized for a request.
static java.lang.String	CSP_NONCE_REQUEST_ATTRIBUTE Request name attribute used to store the nonce computed for a request.
protected java.lang.String	cspHeaderFmt Format string used to output the "Content-Security-Policy" HTTP Header value
protected java.util.List<java.lang.String>	cspHeaderNameList List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification.
protected java.lang.String	cspReportOnlyHeaderFmt Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header value
protected java.util.List<java.lang.String>	cspReportOnlyHeaderNameList List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification.
protected java.util.Set<java.lang.String>	excludedPathSet Set of jsp (servlet path) excluded from CSP processing
static java.lang.String	REVISION

Fields inherited from interface com.jalios.jcms.JcmsConstants

ADATE_SEARCH, ADMIN_NOTES_PROP, ADVANCED_TAB, AJAX_MODE_ATTR, ARCHIVES_DIR, ASCII_WIDTH, CATEGORY_TAB, CDATE_SEARCH, COMMON_ALARM, CONTENT_TAB, COOKIE_MAX_AGE, COUNTRY_SPRITE, CTRL_TOPIC_INTERNAL, CTRL_TOPIC_REF, CTRL_TOPIC_VALUE, CTRL_TOPIC_WRITE, CUSTOM_PROP, DOCCHOOSER_HEIGHT, DOCCHOOSER_WIDTH, DOCS_DIR, EDATE_SEARCH, EMAIL_REGEXP, ERROR_MSG, FORBIDDEN_FILE_ACCESS, FORBIDDEN_REDIRECT, FORCE_REDIRECT, GLYPH_ICON_PREFIX, ICON_ARCHIVE, ICON_ICON_PREFIX, ICON_LOCK, ICON_LOCK_STRONG, ICON_PREFIX_PROP, ICON_WARN, ICON_WH_BOOK_CLOSED, ICON_WH_BOOK_OPEN, INFORMATION_MSG, JALIOS_JUNIT_PROP, JCMS_CADDY, JCMS_MSG_LIST, JCMS_TOASTR_COLLECTION, JSYNC_DOWNLOAD_DIR, JSYNC_SYNC_ALARM, LANG_SPRITE, LOG_FILE, LOG_TOPIC_SECURITY, LOGGER_PROP, LOGGER_XMLPROP, MBR_PHOTO_DIR, MDATE_SEARCH, MONITOR_XML, OP_CREATE, OP_CREATE_STR, OP_DEEP_COPY, OP_DEEP_COPY_STR, OP_DEEP_DELETE, OP_DEEP_DELETE_STR, OP_DELETE, OP_DELETE_STR, OP_MERGE, OP_MERGE_STR, OP_UPDATE, OP_UPDATE_STR, ORGANIZATION_ROOT_GROUP_PROP, PDATE_SEARCH, PHOTO_DIR, PHOTO_ICON, PHOTO_ICON_HEIGHT, PHOTO_ICON_PROP_PREFIX, PHOTO_ICON_WIDTH, PHOTO_LARGE, PHOTO_LARGE_HEIGHT, PHOTO_LARGE_PROP_PREFIX, PHOTO_LARGE_WIDTH, PHOTO_NORMAL, PHOTO_NORMAL_HEIGHT, PHOTO_NORMAL_PROP_PREFIX, PHOTO_NORMAL_WIDTH, PHOTO_SMALL, PHOTO_SMALL_HEIGHT, PHOTO_SMALL_PROP_PREFIX, PHOTO_SMALL_WIDTH, PHOTO_TINY, PHOTO_TINY_HEIGHT, PHOTO_TINY_PROP_PREFIX, PHOTO_TINY_WIDTH, PREVIOUS_TAB, PRINT_VIEW, PRIVATE_FILE_ACCESS, PUBLIC_FILE_ACCESS, READ_RIGHT_TAB, SDATE_SEARCH, SEARCHENGINE_ALARM, SESSION_AUTHORIZED_FILENAMES_SET, SPRITE_ICON_PREFIX, STATS_REPORT_DIR, STATUS_PROP, STORE_XML, SUCCESS_MSG, TEMPLATE_TAB, THUMBNAIL_LARGE_HEIGHT, THUMBNAIL_LARGE_WIDTH, THUMBNAIL_SMALL_HEIGHT, THUMBNAIL_SMALL_WIDTH, TTCARD_MEDIA_HEIGHT, TTCARD_MEDIA_WIDTH, TYPES_ICON_ALT_PROP, TYPES_ICON_SUFFIX_PROP, TYPES_ICON_TITLE_PROP, TYPES_PREFIX_PROP, TYPES_THUMB_SUFFIX_PROP, UDATE_SEARCH, UPDATE_RIGHT_TAB, UPLOAD_DIR, UPLOAD_PERMISSION_SIZE_PROP_PREFIX, URL_REGEXP, VID_LOGGED_MEMBER, WARNING_MSG, WEBAPP_PROP, WFEXPRESS_ALARM, WFREMINDER_ALARM, WORKFLOW_TAB, WORKFLOW_XML

Fields inherited from interface com.jalios.util.JaliosConstants

CRLF, MILLIS_IN_ONE_DAY, MILLIS_IN_ONE_HOUR, MILLIS_IN_ONE_MINUTE, MILLIS_IN_ONE_MONTH, MILLIS_IN_ONE_SECOND, MILLIS_IN_ONE_WEEK, MILLIS_IN_ONE_YEAR

Method Summary

Modifier and Type	Method and Description
static void	configure(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Initialize the Content Security Policy for the specified request/response.
static ContentSecurityPolicyManager	getInstance() Retrieve the singleton instance of this manager.
static java.lang.String	getNonce(javax.servlet.http.HttpServletRequest request) Retrieve the Content Security Policy nonce value to use in HTML scripts tags.
void	propertiesChange(JProperties properties) Invoked after properties have been modified in JCMS and save on disk.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REVISION

public static final java.lang.String REVISION

See Also:

Constant Field Values

CSP_NONCE_REQUEST_ATTRIBUTE

public static final java.lang.String CSP_NONCE_REQUEST_ATTRIBUTE

Request name attribute used to store the nonce computed for a request.

Corresponding value is a String.

See Also:

getNonce(HttpServletRequest), Constant Field Values

CSP_INITIALIZED_REQUEST_ATTRIBUTE

public static final java.lang.String CSP_INITIALIZED_REQUEST_ATTRIBUTE

Request name attribute indicating CSP was initialized for a request.

Corresponding value is a Boolean.

See Also:

Constant Field Values

excludedPathSet

protected java.util.Set<java.lang.String> excludedPathSet

Set of jsp (servlet path) excluded from CSP processing

cspHeaderNameList

protected java.util.List<java.lang.String> cspHeaderNameList

List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification. Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support.

cspReportOnlyHeaderNameList

protected java.util.List<java.lang.String> cspReportOnlyHeaderNameList

List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification. Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support.

cspHeaderFmt

protected java.lang.String cspHeaderFmt

Format string used to output the "Content-Security-Policy" HTTP Header value

cspReportOnlyHeaderFmt

protected java.lang.String cspReportOnlyHeaderFmt

Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header value

Method Detail

getInstance

public static ContentSecurityPolicyManager getInstance()

Retrieve the singleton instance of this manager.

Returns:

the ContentSecurityPolicyManager singleton

propertiesChange

public void propertiesChange(JProperties properties)

Description copied from interface: JPropertiesListener

Invoked after properties have been modified in JCMS and save on disk.

You cannot alter the value received in parameters.

Specified by:

propertiesChange in interface JPropertiesListener

Parameters:

properties - the properties which have been modified (may not contain all JCMS properties)

configure

public static void configure(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)

Initialize the Content Security Policy for the specified request/response.

• Build a nonce value for use in HTML tags
• Add appropriate HTTP headers to the response according to site configuration

This method is reentrant : process will only performed once per request even if invoked several times.

Parameters:

request - the current HttpServletRequest, must not be null

response - the current HttpServletResponse, must not be null

Since:

jcms-9.0

getNonce

public static java.lang.String getNonce(javax.servlet.http.HttpServletRequest request)

Retrieve the Content Security Policy nonce value to use in HTML scripts tags.

Parameters:

request - the current request in which nonce was initialized by configure(HttpServletRequest, HttpServletResponse)

Returns:

a nonce or an empty string if CSP was not initialized, never return null

Since:

9.0