-
Notifications
You must be signed in to change notification settings - Fork 813
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WW-5400 Extend default configuration options for the CSP interceptor. #913
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,6 +46,9 @@ public final class CspInterceptor extends AbstractInterceptor { | |
private boolean prependServletContext = true; | ||
private boolean enforcingMode; | ||
private String reportUri; | ||
private String reportTo; | ||
|
||
private String defaultCspSettingsClassName = DefaultCspSettings.class.getName(); | ||
|
||
@Override | ||
public String intercept(ActionInvocation invocation) throws Exception { | ||
|
@@ -54,8 +57,24 @@ public String intercept(ActionInvocation invocation) throws Exception { | |
LOG.trace("Using CspSettings provided by the action: {}", action); | ||
applySettings(invocation, ((CspSettingsAware) action).getCspSettings()); | ||
} else { | ||
LOG.trace("Using DefaultCspSettings with action: {}", action); | ||
applySettings(invocation, new DefaultCspSettings()); | ||
LOG.trace("Using {} with action: {}", defaultCspSettingsClassName, action); | ||
|
||
// if the defaultCspSettingsClassName is not a real class, throw an exception | ||
try { | ||
Class.forName(defaultCspSettingsClassName, false, Thread.currentThread().getContextClassLoader()); | ||
} | ||
catch (ClassNotFoundException e) { | ||
throw new IllegalArgumentException("The defaultCspSettingsClassName must be a real class."); | ||
} | ||
|
||
// if defaultCspSettingsClassName does not implement CspSettings, throw an exception | ||
if (!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName))) { | ||
throw new IllegalArgumentException("The defaultCspSettingsClassName must implement CspSettings."); | ||
} | ||
|
||
CspSettings cspSettings = (CspSettings) Class.forName(defaultCspSettingsClassName) | ||
.getDeclaredConstructor().newInstance(); | ||
applySettings(invocation, cspSettings); | ||
} | ||
return invocation.invoke(); | ||
} | ||
|
@@ -76,6 +95,12 @@ private void applySettings(ActionInvocation invocation, CspSettings cspSettings) | |
} | ||
|
||
cspSettings.setReportUri(finalReportUri); | ||
|
||
// apply reportTo if set | ||
if (reportTo != null) { | ||
LOG.trace("Applying: {} to reportTo", reportTo); | ||
cspSettings.setReportTo(reportTo); | ||
} | ||
} | ||
|
||
invocation.addPreResultListener((actionInvocation, resultCode) -> { | ||
|
@@ -97,6 +122,18 @@ public void setReportUri(String reportUri) { | |
this.reportUri = reportUri; | ||
} | ||
|
||
/** | ||
* Sets the report group where csp violation reports will be sent. This will | ||
* only be used if the reportUri is set. | ||
* | ||
* @param reportTo the report group where csp violation reports will be sent | ||
* | ||
* @since Struts 6.5.0 | ||
*/ | ||
public void setReportTo(String reportTo) { | ||
this.reportTo = reportTo; | ||
} | ||
|
||
private Optional<URI> buildUri(String reportUri) { | ||
try { | ||
return Optional.of(URI.create(reportUri)); | ||
|
@@ -124,4 +161,13 @@ public void setPrependServletContext(boolean prependServletContext) { | |
this.prependServletContext = prependServletContext; | ||
} | ||
|
||
} | ||
/** | ||
* Sets the class name of the default {@link CspSettings} implementation to use when the action does not | ||
* set its own values. If not set, the default is {@link DefaultCspSettings}. | ||
* | ||
* @since Struts 6.5.0 | ||
*/ | ||
eschulma marked this conversation as resolved.
Show resolved
Hide resolved
|
||
public void setDefaultCspSettingsClassName(String defaultCspSettingsClassName) { | ||
this.defaultCspSettingsClassName = defaultCspSettingsClassName; | ||
} | ||
Comment on lines
+170
to
+172
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can use Struts inject mechanism instead of using raw class and creating the instance by yourself. It's all about defining a I assume you never played with Struts @Inject, so let's leave it as is and I will change that in the next PR. |
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we can move this code into
init()
method of the interceptor as right now a new instance is created per each invocation