Write Security Headers Before Servlet Include
HeaderWriterFilter wraps request dispatcher so it can write security headers before the include occurs. Fixes: gh-5499
This commit is contained in:
Josh Cummings
Rob Winch
parent
ccc4e1c876
commit
8a475e39be
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2012 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -19,8 +19,12 @@ import java.io.IOException;
|
|||
import java.util.List;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.security.web.util.OnCommittedResponseWrapper;
|
||||
|
|
@ -33,6 +37,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
|
|||
* and X-Content-Type-Options.
|
||||
*
|
||||
* @author Marten Deinum
|
||||
* @author Josh Cummings
|
||||
* @since 3.2
|
||||
*
|
||||
*/
|
||||
|
|
@ -62,8 +67,11 @@ public class HeaderWriterFilter extends OncePerRequestFilter {
|
|||
|
||||
HeaderWriterResponse headerWriterResponse = new HeaderWriterResponse(request,
|
||||
response, this.headerWriters);
|
||||
HeaderWriterRequest headerWriterRequest = new HeaderWriterRequest(request,
|
||||
headerWriterResponse);
|
||||
|
||||
try {
|
||||
filterChain.doFilter(request, headerWriterResponse);
|
||||
filterChain.doFilter(headerWriterRequest, headerWriterResponse);
|
||||
}
|
||||
finally {
|
||||
headerWriterResponse.writeHeaders();
|
||||
|
|
@ -106,4 +114,39 @@ public class HeaderWriterFilter extends OncePerRequestFilter {
|
|||
return (HttpServletResponse) getResponse();
|
||||
}
|
||||
}
|
||||
|
||||
static class HeaderWriterRequest extends HttpServletRequestWrapper {
|
||||
private final HeaderWriterResponse response;
|
||||
|
||||
HeaderWriterRequest(HttpServletRequest request, HeaderWriterResponse response) {
|
||||
super(request);
|
||||
this.response = response;
|
||||
}
|
||||
|
||||
@Override
|
||||
public RequestDispatcher getRequestDispatcher(String path) {
|
||||
return new HeaderWriterRequestDispatcher(super.getRequestDispatcher(path), this.response);
|
||||
}
|
||||
}
|
||||
|
||||
static class HeaderWriterRequestDispatcher implements RequestDispatcher {
|
||||
private final RequestDispatcher delegate;
|
||||
private final HeaderWriterResponse response;
|
||||
|
||||
HeaderWriterRequestDispatcher(RequestDispatcher delegate, HeaderWriterResponse response) {
|
||||
this.delegate = delegate;
|
||||
this.response = response;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void forward(ServletRequest request, ServletResponse response) throws ServletException, IOException {
|
||||
this.delegate.forward(request, response);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void include(ServletRequest request, ServletResponse response) throws ServletException, IOException {
|
||||
this.response.onResponseCommitted();
|
||||
this.delegate.include(request, response);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2013 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -18,6 +18,7 @@ package org.springframework.security.web.header;
|
|||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
|
|
@ -84,7 +85,9 @@ public class HeaderWriterFilterTests {
|
|||
|
||||
verify(this.writer1).writeHeaders(request, response);
|
||||
verify(this.writer2).writeHeaders(request, response);
|
||||
assertThat(filterChain.getRequest()).isEqualTo(request); // verify the filterChain
|
||||
HeaderWriterFilter.HeaderWriterRequest wrappedRequest = (HeaderWriterFilter.HeaderWriterRequest)
|
||||
filterChain.getRequest();
|
||||
assertThat(wrappedRequest.getRequest()).isEqualTo(request); // verify the filterChain
|
||||
// continued
|
||||
}
|
||||
|
||||
|
|
@ -112,4 +115,25 @@ public class HeaderWriterFilterTests {
|
|||
|
||||
verifyNoMoreInteractions(this.writer1);
|
||||
}
|
||||
|
||||
// gh-5499
|
||||
@Test
|
||||
public void doFilterWhenRequestContainsIncludeThenHeadersStillWritten() throws Exception {
|
||||
HeaderWriterFilter filter = new HeaderWriterFilter(
|
||||
Collections.singletonList(this.writer1));
|
||||
|
||||
MockHttpServletRequest mockRequest = new MockHttpServletRequest();
|
||||
MockHttpServletResponse mockResponse = new MockHttpServletResponse();
|
||||
|
||||
filter.doFilter(mockRequest, mockResponse, (request, response) -> {
|
||||
verifyZeroInteractions(HeaderWriterFilterTests.this.writer1);
|
||||
|
||||
request.getRequestDispatcher("/").include(request, response);
|
||||
|
||||
verify(HeaderWriterFilterTests.this.writer1).writeHeaders(
|
||||
any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
});
|
||||
|
||||
verifyNoMoreInteractions(this.writer1);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue