Make SecurityHeadersFilter configurable via RODA properties #3586

Author: hmiguim

roda-ui/roda-wui/src/main/java/org/roda/wui/filter/SecurityHeadersFilter.java

@@ -8,6 +8,15 @@
 package org.roda.wui.filter;
 
 import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.configuration.Configuration;
+import org.roda.core.RodaCoreFactory;
+import org.roda.core.common.RodaUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
@@ -18,31 +27,45 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 public class SecurityHeadersFilter implements Filter {
+  private static final Logger LOGGER = LoggerFactory.getLogger(SecurityHeadersFilter.class);
+  private final Map<String, String> headers = new HashMap<>();
+  private final static String SECURITY_HEADER_PROPERTY_PREFIX = "ui.filter.security-headers[]";
+  private Boolean isInit = false;
 
   @Override
-  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-    throws IOException, ServletException {
-    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+  public void init(FilterConfig filterConfig) {
 
-    httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-    httpServletResponse.setHeader("Content-Security-Policy",
-      "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com "
-        + "https://www.google-analytics.com https://www.gstatic.com http://127.0.0.1:9876 http://localhost:9876; "
-        + "style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';");
-    httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
-    httpServletResponse.setHeader("X-Permitted-Cross-Domain-Policies", "none");
-    httpServletResponse.setHeader("Feature-Policy",
-      "camera 'none'; fullscreen 'self'; geolocation *; " + "microphone 'self'");
-    httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
-    httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
-    httpServletResponse.setHeader("Referrer-Policy", "no-referrer");
-    httpServletResponse.setHeader("Permissions-Policy", "geolocation=(self)");
+  }
 
-    chain.doFilter(request, response);
+  private void initSecurityHeaders() {
+    if (isInit) {
+      return;
+    }
+
+    final Configuration rodaConfig = RodaCoreFactory.getRodaConfiguration();
+    if (rodaConfig == null) {
+      LOGGER.info("RODA configuration not available yet. Delaying init of SecurityHeadersFilter.");
+    } else {
+      List<String> headersNames = RodaUtils.copyList(rodaConfig.getList(SECURITY_HEADER_PROPERTY_PREFIX));
+
+      for (String headersName : headersNames) {
+        String value = rodaConfig.getString(SECURITY_HEADER_PROPERTY_PREFIX + "." + headersName, null);
+        if (value != null) {
+          headers.put(headersName, value);
+        }
+      }
+      isInit = true;
+      LOGGER.info("SecurityHeadersFilter initialized with {} headers", headers.size());
+    }
   }
 
   @Override
-  public void init(FilterConfig filterConfig) {
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+    throws IOException, ServletException {
+    initSecurityHeaders();
+    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+    headers.forEach(httpServletResponse::setHeader);
+    chain.doFilter(request, response);
   }
 
   @Override

roda-ui/roda-wui/src/main/resources/config/roda-wui.properties

@@ -161,6 +161,44 @@ ui.filter.cas.serverName = https://localhost:8888
 ui.filter.cas.exceptionOnValidationFailure = false
 ui.filter.cas.redirectAfterValidation = false
 
+##########################################################################
+# Security Headers filter settings
+#
+# These properties define which HTTP security headers should be applied
+# to all responses by the SecurityHeadersFilter. Each header can be
+# enabled by listing it in the array and its value can be configured
+# individually.
+#
+# Usage:
+#
+# * ui.filter.security-headers[] = <Header-Name>
+#     Adds the header <Header-Name> to the list of headers managed by the filter.
+#
+# * ui.filter.security-headers[].<Header-Name> = <Header-Value>
+#     Defines the value that will be sent for <Header-Name> in HTTP responses.
+#
+##########################################################################
+
+ui.filter.security-headers[] = Strict-Transport-Security
+ui.filter.security-headers[] = Content-Security-Policy
+ui.filter.security-headers[] = X-XSS-Protection
+ui.filter.security-headers[] = X-Permitted-Cross-Domain-Policies
+ui.filter.security-headers[] = Feature-Policy
+ui.filter.security-headers[] = X-Frame-Options
+ui.filter.security-headers[] = X-Content-Type-Options
+ui.filter.security-headers[] = Referrer-Policy
+ui.filter.security-headers[] = Permissions-Policy
+
+ui.filter.security-headers[].Strict-Transport-Security = max-age=31536000; includeSubDomains
+ui.filter.security-headers[].Content-Security-Policy = default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.google-analytics.com https://www.gstatic.com http://127.0.0.1:9876; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';
+ui.filter.security-headers[].X-XSS-Protection = 1; mode=block
+ui.filter.security-headers[].X-Permitted-Cross-Domain-Policies = none
+ui.filter.security-headers[].Feature-Policy = camera 'none'; fullscreen 'self'; geolocation *; microphone 'self'
+ui.filter.security-headers[].X-Frame-Options = SAMEORIGIN
+ui.filter.security-headers[].X-Content-Type-Options = nosniff
+ui.filter.security-headers[].Referrer-Policy = no-referrer
+ui.filter.security-headers[].Permissions-Policy = geolocation=(self)
+
 ##########################################################################
 # Roles with access to menu items settings
 #