Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 13:32:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow disabling headers in Kotlin DSL

Browse Source 
Closes gh-8816
This commit is contained in:
Eleftheria Stein 2020-07-08 10:55:01 +02:00
parent 8e8a642e5a
commit 815ceae45c
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt
View File

@ -40,6 +40,7 @@ class HeadersDsl {
private var contentSecurityPolicy: ((HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit)? = null private var contentSecurityPolicy: ((HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit)? = null
private var referrerPolicy: ((HeadersConfigurer<HttpSecurity>.ReferrerPolicyConfig) -> Unit)? = null private var referrerPolicy: ((HeadersConfigurer<HttpSecurity>.ReferrerPolicyConfig) -> Unit)? = null
private var featurePolicyDirectives: String? = null private var featurePolicyDirectives: String? = null
private var disabled = false
var defaultsDisabled: Boolean? = null var defaultsDisabled: Boolean? = null
@ -161,6 +162,15 @@ class HeadersDsl {
this.featurePolicyDirectives = policyDirectives this.featurePolicyDirectives = policyDirectives
} }
/**
* Disable all HTTP security headers.
*
* @since 5.4
*/
fun disable() {
disabled = true
}
internal fun get(): (HeadersConfigurer<HttpSecurity>) -> Unit { internal fun get(): (HeadersConfigurer<HttpSecurity>) -> Unit {
return { headers -> return { headers ->
defaultsDisabled?.also { defaultsDisabled?.also {
@ -195,6 +205,9 @@ class HeadersDsl {
featurePolicyDirectives?.also { featurePolicyDirectives?.also {
headers.featurePolicy(featurePolicyDirectives) headers.featurePolicy(featurePolicyDirectives)
} }
if (disabled) {
headers.disable()
}
} }
} }
} }

27
config/src/test/kotlin/org/springframework/security/config/web/servlet/HeadersDslTests.kt
View File

@ -91,4 +91,31 @@ class HeadersDslTests {
} }
} }
} }
@Test
fun `request when headers disabled then no security headers are in the response`() {
this.spring.register(HeadersDisabledConfig::class.java).autowire()
this.mockMvc.get("/")
.andExpect {
header { doesNotExist(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS) }
header { doesNotExist(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS) }
header { doesNotExist(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY) }
header { doesNotExist(HttpHeaders.CACHE_CONTROL) }
header { doesNotExist(HttpHeaders.EXPIRES) }
header { doesNotExist(HttpHeaders.PRAGMA) }
header { doesNotExist(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION) }
}
}
@EnableWebSecurity
open class HeadersDisabledConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
disable()
}
}
}
}
} }