Package com.jalios.jcms.security
Class ContentSecurityPolicyManager
- java.lang.Object
-
- com.jalios.jcms.security.ContentSecurityPolicyManager
-
- All Implemented Interfaces:
JcmsConstants
,JaliosConstants
,JPropertiesListener
public class ContentSecurityPolicyManager extends java.lang.Object implements JcmsConstants, JPropertiesListener
Content Security Policy implementation in JCMS.The following properties can be defined to configure this implementation :
# Is CSP enabled for this site ? # default is false channel.security.csp.enabled: true # space or coma separated list of jsp (servlet path) excluded from CSP processing # use with care, you should not have to exclude anything !!! # default is empty channel.security.csp.excluded-path: # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification. # Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support. # default is "Content-Security-Policy" channel.security.csp.csp-header-names: Content-Security-Policy # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification. # Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support. # default is "Content-Security-Policy-Report-Only" channel.security.csp.csp-report-only-header-names: Content-Security-Policy-Report-Only # Java Format string used to output the "Content-Security-Policy" HTTP Header(s) value # %1s can be used to output a nonce generated for each request # default is empty as a fine tuning is required for each site channel.security.csp.csp-header: # Java Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header(s) value # %1s can be used to output a nonce generated for each request # default is empty as a fine tuning is required for each site channel.security.csp.csp-report-only-header: default-src 'self'; script-src 'self' 'nonce-%1s'; report-uri http://cspbuilder.info/report/124567890123456789/;
- Since:
- jcms-9.0
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CSP_INITIALIZED_REQUEST_ATTRIBUTE
Request name attribute indicating CSP was initialized for a request.static java.lang.String
CSP_NONCE_REQUEST_ATTRIBUTE
Request name attribute used to store the nonce computed for a request.protected java.lang.String
cspHeaderFmt
Format string used to output the "Content-Security-Policy" HTTP Header valueprotected java.util.List<java.lang.String>
cspHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification.protected java.lang.String
cspReportOnlyHeaderFmt
Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header valueprotected java.util.List<java.lang.String>
cspReportOnlyHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification.protected java.util.Set<java.lang.String>
excludedPathSet
Set of jsp (servlet path) excluded from CSP processing-
Fields inherited from interface com.jalios.util.JaliosConstants
CRLF, MILLIS_IN_ONE_DAY, MILLIS_IN_ONE_HOUR, MILLIS_IN_ONE_MINUTE, MILLIS_IN_ONE_MONTH, MILLIS_IN_ONE_SECOND, MILLIS_IN_ONE_WEEK, MILLIS_IN_ONE_YEAR
-
Fields inherited from interface com.jalios.jcms.JcmsConstants
ADATE_SEARCH, ADMIN_NOTES_PROP, ADVANCED_TAB, AJAX_MODE_ATTR, ARCHIVES_DIR, ASCII_WIDTH, CATEGORY_TAB, CDATE_SEARCH, CLASS_PROPERTY, COMMON_ALARM, CONTENT_TAB, COOKIE_MAX_AGE, COUNTRY_SPRITE, CS_TYPOLOGY_ROOT_CAT_VID, CTRL_TOPIC_INTERNAL, CTRL_TOPIC_REF, CTRL_TOPIC_VALUE, CTRL_TOPIC_WRITE, CUSTOM_PROP, DATA_DIRECTORY, DEFAULT_PHOTO_PROP, DOCCHOOSER_HEIGHT, DOCCHOOSER_WIDTH, DOCS_DIR, EDATE_SEARCH, EMAIL_REGEXP, ERROR_MSG, FORBIDDEN_FILE_ACCESS, FORBIDDEN_REDIRECT, FORCE_REDIRECT, GLYPH_ICON_PREFIX, ICON_ARCHIVE, ICON_ICON_PREFIX, ICON_LOCK, ICON_LOCK_STRONG, ICON_PREFIX_PROP, ICON_WARN, ICON_WH_BOOK_CLOSED, ICON_WH_BOOK_OPEN, INFORMATION_MSG, IS_IN_FRONT_OFFICE, JALIOS_JUNIT_PROP, JCMS_CADDY, JCMS_MSG_LIST, JCMS_TOASTR_COLLECTION, JSYNC_DOWNLOAD_DIR, JSYNC_SYNC_ALARM, LANG_SPRITE, LOG_FILE, LOG_TOPIC_SECURITY, LOGGER_PROP, LOGGER_XMLPROP, MBR_PHOTO_DIR, MDATE_SEARCH, MONITOR_XML, OP_CREATE, OP_CREATE_STR, OP_DEEP_COPY, OP_DEEP_COPY_STR, OP_DEEP_DELETE, OP_DEEP_DELETE_STR, OP_DELETE, OP_DELETE_STR, OP_MERGE, OP_MERGE_STR, OP_UPDATE, OP_UPDATE_STR, ORGANIZATION_ROOT_GROUP_PROP, PDATE_SEARCH, PHOTO_DIR, PHOTO_ICON, PHOTO_ICON_HEIGHT, PHOTO_ICON_PROP_PREFIX, PHOTO_ICON_WIDTH, PHOTO_LARGE, PHOTO_LARGE_HEIGHT, PHOTO_LARGE_PROP_PREFIX, PHOTO_LARGE_WIDTH, PHOTO_MINI, PHOTO_MINI_HEIGHT, PHOTO_MINI_PROP_PREFIX, PHOTO_MINI_WIDTH, PHOTO_NORMAL, PHOTO_NORMAL_HEIGHT, PHOTO_NORMAL_PROP_PREFIX, PHOTO_NORMAL_WIDTH, PHOTO_SMALL, PHOTO_SMALL_HEIGHT, PHOTO_SMALL_PROP_PREFIX, PHOTO_SMALL_WIDTH, PHOTO_TINY, PHOTO_TINY_HEIGHT, PHOTO_TINY_PROP_PREFIX, PHOTO_TINY_WIDTH, PREVIOUS_TAB, PRINT_VIEW, PRIVATE_FILE_ACCESS, PUBLIC_FILE_ACCESS, RAW_CONTENT_ICON_PREFIX, READ_RIGHT_TAB, SDATE_SEARCH, SEARCHENGINE_ALARM, SECURITY_LOG_FILE, SESSION_AUTHORIZED_FILENAMES_SET, SPRITE_ICON_PREFIX, STATS_REPORT_DIR, STATUS_PROP, STORE_DIR, STORE_XML, SUCCESS_MSG, SVG_ICON_PREFIX, SVGINLINE_ICON_PREFIX, TEMPLATE_TAB, THUMBNAIL_LARGE_HEIGHT, THUMBNAIL_LARGE_WIDTH, THUMBNAIL_SMALL_HEIGHT, THUMBNAIL_SMALL_WIDTH, TTCARD_MEDIA_HEIGHT, TTCARD_MEDIA_WIDTH, TYPES_ICON_ALT_PROP, TYPES_ICON_SUFFIX_PROP, TYPES_ICON_TITLE_PROP, TYPES_PREFIX_PROP, TYPES_THUMB_SUFFIX_PROP, UDATE_SEARCH, UPDATE_RIGHT_TAB, UPLOAD_DIR, UPLOAD_PERMISSION_COUNT_PROP_PREFIX, UPLOAD_PERMISSION_SIZE_PROP_PREFIX, URL_REGEXP, VID_LOGGED_MEMBER, WARNING_MSG, WEBAPP_PROP, WFEXPRESS_ALARM, WFREMINDER_ALARM, WORKFLOW_TAB, WORKFLOW_XML
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static void
configure(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Initialize the Content Security Policy for the specified request/response.static ContentSecurityPolicyManager
getInstance()
Retrieve the singleton instance of this manager.static java.lang.String
getNonce(javax.servlet.http.HttpServletRequest request)
Retrieve the Content Security Policy nonce value to use in HTML scripts tags.void
propertiesChange(JProperties properties)
Invoked after properties have been modified in JCMS and save on disk.
-
-
-
Field Detail
-
CSP_NONCE_REQUEST_ATTRIBUTE
public static final java.lang.String CSP_NONCE_REQUEST_ATTRIBUTE
Request name attribute used to store the nonce computed for a request.Corresponding value is a String.
-
CSP_INITIALIZED_REQUEST_ATTRIBUTE
public static final java.lang.String CSP_INITIALIZED_REQUEST_ATTRIBUTE
Request name attribute indicating CSP was initialized for a request.Corresponding value is a Boolean.
- See Also:
- Constant Field Values
-
excludedPathSet
protected java.util.Set<java.lang.String> excludedPathSet
Set of jsp (servlet path) excluded from CSP processing
-
cspHeaderNameList
protected java.util.List<java.lang.String> cspHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification. Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support.
-
cspReportOnlyHeaderNameList
protected java.util.List<java.lang.String> cspReportOnlyHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification. Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support.
-
cspHeaderFmt
protected java.lang.String cspHeaderFmt
Format string used to output the "Content-Security-Policy" HTTP Header value
-
cspReportOnlyHeaderFmt
protected java.lang.String cspReportOnlyHeaderFmt
Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header value
-
-
Method Detail
-
getInstance
public static ContentSecurityPolicyManager getInstance()
Retrieve the singleton instance of this manager.- Returns:
- the ContentSecurityPolicyManager singleton
-
propertiesChange
public void propertiesChange(JProperties properties)
Description copied from interface:JPropertiesListener
Invoked after properties have been modified in JCMS and save on disk.You cannot alter the value received in parameters.
Note that properties parameter may be null, a limited set of site properties, or all site properties.
To check that a property has been modified, reload the "current" property instead using
channel.getProperties
orchannel.getProperty
.- Specified by:
propertiesChange
in interfaceJPropertiesListener
- Parameters:
properties
- the properties which have been submitted to change
-
configure
public static void configure(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Initialize the Content Security Policy for the specified request/response.- Build a nonce value for use in HTML tags
- Add appropriate HTTP headers to the response according to site configuration
- Parameters:
request
- the currentHttpServletRequest
, must not be nullresponse
- the currentHttpServletResponse
, must not be null- Since:
- jcms-9.0
-
getNonce
public static java.lang.String getNonce(javax.servlet.http.HttpServletRequest request)
Retrieve the Content Security Policy nonce value to use in HTML scripts tags.- Parameters:
request
- the current request in which nonce was initialized byconfigure(HttpServletRequest, HttpServletResponse)
- Returns:
- a nonce or an empty string if CSP was not initialized, never return null
- Since:
- 9.0
-
-