Add Kotlin WebFlux header configuration to docs

Issue gh-8172
2020-07-14 16:34:30 +02:00 · 2020-07-14 16:34:30 +02:00 · 683cb49c9d
parent f8f3302891
commit 683cb49c9d
1 changed files with 234 additions and 28 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc
@ -13,11 +13,12 @@ While each of these headers are considered best practice, it should be noted tha
 You can customize specific headers.
 For example, assume that you want the defaults except you wish to specify `SAMEORIGIN` for <<servlet-headers-frame-options,X-Frame-Options>>.

-You can easily do this with the following Java Configuration:
+You can easily do this with the following Configuration:

-.Customize Default Security Headers with Java Configuration
+.Customize Default Security Headers
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -31,14 +32,31 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            frameOptions {
+                mode = Mode.SAMEORIGIN
+            }
+        }
+    }
+}
+----
 ====

 If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults.
-An example for both Java configuration is provided below:
+An example is provided below:

 .Disable HTTP Security Response Headers
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -48,6 +66,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            disable()
+        }
+    }
+}
+----
 ====

 [[webflux-headers-cache-control]]
@ -65,7 +97,8 @@ If necessary, you can also disable Spring Security's cache control HTTP response

 .Cache Control Disabled
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -77,17 +110,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            cache {
+                disable()
+            }
+        }
+    }
+}
+----
 ====


 [[webflux-headers-content-type-options]]
 == Content Type Options
 Spring Security includes <<headers-content-type-options,Content-Type>> headers by default.
-However, you can disable it in Java Configuration with:
+However, you can disable it with:

-.Content Type Options Disabled with Java Configuration
+.Content Type Options Disabled
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -99,17 +149,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            contentTypeOptions {
+                disable()
+            }
+        }
+    }
+}
+----
 ====

 [[webflux-headers-hsts]]
 == HTTP Strict Transport Security (HSTS)
 Spring Security provides the <<headers-hsts,Strict Transport Security>> header by default.
 However, you can customize the results explicitly.
-For example, the following is an example of explicitly providing HSTS with Java Configuration:
+For example, the following is an example of explicitly providing HSTS:

-.Strict Transport Security with Java Configuration
+.Strict Transport Security
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -125,17 +192,36 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            hsts {
+                includeSubdomains = true
+                preload = true
+                maxAge = Duration.ofDays(365)
+            }
+        }
+    }
+}
+----
 ====

 [[webflux-headers-frame-options]]
 == X-Frame-Options
 By default, Spring Security disables rendering within an iframe using <<headers-frame-options,X-Frame-Options>>.

-You can customize frame options to use the same origin within Java Configuration using the following:
+You can customize frame options to use the same origin using the following:

 .X-Frame-Options: SAMEORIGIN
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -149,16 +235,33 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            frameOptions {
+                mode = SAMEORIGIN
+            }
+        }
+    }
+}
+----
 ====

 [[webflux-headers-xss-protection]]
 == X-XSS-Protection
 By default, Spring Security instructs browsers to block reflected XSS attacks using the <<headers-xss-protection,X-XSS-Protection header>.
-You can disable `X-XSS-Protection` with the following Java Configuration:
+You can disable `X-XSS-Protection` with the following Configuration:

 .X-XSS-Protection Customization
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -170,6 +273,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            xssProtection {
+                disable()
+            }
+        }
+    }
+}
+----
 ====

 [[webflux-headers-csp]]
@ -187,11 +306,12 @@ Content-Security-Policy: script-src 'self' https://trustedscripts.example.com; o
 ----
 ====

-You can enable the CSP header using Java configuration as shown below:
+You can enable the CSP header as shown below:

 .Content Security Policy
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -205,13 +325,30 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            contentSecurityPolicy {
+                policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
+            }
+        }
+    }
+}
+----
 ====

-To enable the CSP `report-only` header, provide the following Java configuration:
+To enable the CSP `report-only` header, provide the following configuration:

 .Content Security Policy Report Only
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -226,17 +363,35 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            contentSecurityPolicy {
+                policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
+                reportOnly = true
+            }
+        }
+    }
+}
+----
 ====

 [[webflux-headers-referrer]]
 == Referrer Policy

 Spring Security does not add <<headers-referrer,Referrer Policy>> headers by default.
-You can enable the Referrer Policy header using Java configuration as shown below:
+You can enable the Referrer Policy header using configuration as shown below:

-.Referrer Policy Java Configuration
+.Referrer Policy Configuration
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -250,6 +405,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            referrerPolicy {
+                policy = ReferrerPolicy.SAME_ORIGIN
+            }
+        }
+    }
+}
+----
 ====


@ -267,11 +438,12 @@ Feature-Policy: geolocation 'self'
 ----
 ====

-can enable the Feature Policy header using Java configuration as shown below:
+You can enable the Feature Policy header as shown below:

-.Feature-Policy Java Configuration
+.Feature-Policy Configuration
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -283,6 +455,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        headers {
+            featurePolicy("geolocation 'self'")
+        }
+    }
+}
+----
 ====


@ -301,9 +487,10 @@ Clear-Site-Data: "cache", "cookies"

 can be sent on log out with the following configuration:

-.Clear-Site-Data Java Configuration
+.Clear-Site-Data Configuration
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -319,4 +506,23 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    val securityContext: ServerLogoutHandler = SecurityContextServerLogoutHandler()
+    val writer = ClearSiteDataServerHttpHeadersWriter(CACHE, COOKIES)
+    val clearSiteData: ServerLogoutHandler = HeaderWriterServerLogoutHandler(writer)
+    val customLogoutHandler = DelegatingServerLogoutHandler(securityContext, clearSiteData)
+
+    return http {
+        // ...
+        logout {
+            logoutHandler = customLogoutHandler
+        }
+    }
+}
+----
 ====