Package com.jalios.jcms.security

Class ContentSecurityPolicyManager

  • All Implemented Interfaces:
    JcmsConstants, JaliosConstants, JPropertiesListener
    public class ContentSecurityPolicyManager
extends java.lang.Object
implements JcmsConstants, JPropertiesListener
    Content Security Policy implementation in JCMS.

    The following properties can be defined to configure this implementation : 

     # Is CSP enabled for this site ?
 # default is false
 channel.security.csp.enabled: true
 
 
 # space or coma separated list of jsp (servlet path) excluded from CSP processing
 # use with care, you should not have to exclude anything !!!
 # default is empty
 channel.security.csp.excluded-path:
 
 
 # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification.
 # Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support.
 # default is "Content-Security-Policy"
 channel.security.csp.csp-header-names: Content-Security-Policy
 
 # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification.
 # Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support.
 # default is "Content-Security-Policy-Report-Only"
 channel.security.csp.csp-report-only-header-names: Content-Security-Policy-Report-Only
 
 
 # Java Format string used to output the "Content-Security-Policy" HTTP Header(s) value
 # %1s can be used to output a nonce generated for each request  
 # default is empty as a fine tuning is required for each site
 channel.security.csp.csp-header: 
 
 # Java Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header(s) value
 # %1s can be used to output a nonce generated for each request  
 # default is empty as a fine tuning is required for each site
 channel.security.csp.csp-report-only-header: default-src 'self'; script-src 'self' 'nonce-%1s'; report-uri http://cspbuilder.info/report/124567890123456789/;
    Since:
    jcms-9.0

    • Field Detail

      • CSP_NONCE_REQUEST_ATTRIBUTE

        public static final java.lang.String CSP_NONCE_REQUEST_ATTRIBUTE
        Request name attribute used to store the nonce computed for a request.

        Corresponding value is a String.

        See Also:
        getNonce(HttpServletRequest), Constant Field Values

      • CSP_INITIALIZED_REQUEST_ATTRIBUTE

        public static final java.lang.String CSP_INITIALIZED_REQUEST_ATTRIBUTE
        Request name attribute indicating CSP was initialized for a request.

        Corresponding value is a Boolean.

        See Also:
        Constant Field Values

      • excludedPathSet

        protected java.util.Set<java.lang.String> excludedPathSet
        Set of jsp (servlet path) excluded from CSP processing

      • cspHeaderNameList

        protected java.util.List<java.lang.String> cspHeaderNameList
        List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification. Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support.

      • cspReportOnlyHeaderNameList

        protected java.util.List<java.lang.String> cspReportOnlyHeaderNameList
        List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification. Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support.

      • cspHeaderFmt

        protected java.lang.String cspHeaderFmt
        Format string used to output the "Content-Security-Policy" HTTP Header value

      • cspReportOnlyHeaderFmt

        protected java.lang.String cspReportOnlyHeaderFmt
        Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header value

    • Method Detail

      • getInstance

        public static ContentSecurityPolicyManager getInstance()
        Retrieve the singleton instance of this manager.
        Returns:
        the ContentSecurityPolicyManager singleton

      • propertiesChange

        public void propertiesChange​(JProperties properties)
        Description copied from interface: JPropertiesListener
        Invoked after properties have been modified in JCMS and save on disk.

        You cannot alter the value received in parameters.

        Note that properties parameter may be null, a limited set of site properties, or all site properties.

        To check that a property has been modified, reload the "current" property instead using channel.getProperties or channel.getProperty.

        Specified by:
        propertiesChange in interface JPropertiesListener
        Parameters:
        properties - the properties which have been submitted to change

      • configure

        public static void configure​(javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
        Initialize the Content Security Policy for the specified request/response.
        • Build a nonce value for use in HTML tags
        • Add appropriate HTTP headers to the response according to site configuration
        This method is reentrant : process will only performed once per request even if invoked several times.
        Parameters:
        request - the current HttpServletRequest, must not be null
        response - the current HttpServletResponse, must not be null
        Since:
        jcms-9.0

      • getNonce

        public static java.lang.String getNonce​(javax.servlet.http.HttpServletRequest request)
        Retrieve the Content Security Policy nonce value to use in HTML scripts tags.
        Parameters:
        request - the current request in which nonce was initialized by configure(HttpServletRequest, HttpServletResponse)
        Returns:
        a nonce or an empty string if CSP was not initialized, never return null
        Since:
        9.0