From f26387a4b7d0e1d63c56d89ac47e9b395452dc05 Mon Sep 17 00:00:00 2001 From: Eleftheria Stein Date: Fri, 18 Sep 2020 14:43:23 +0200 Subject: [PATCH] Add reactive HTTP exploit samples Issue gh-8172 --- .../_includes/reactive/exploits/http.adoc | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc index 851142d660..387a05a719 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/http.adoc @@ -14,7 +14,8 @@ For example, the following Java configuration will redirect any HTTP requests to .Redirect to HTTPS ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -24,6 +25,18 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + redirectToHttps { } + } +} +---- ==== The configuration can easily be wrapped around an if statement to only be turned on in production. @@ -32,7 +45,8 @@ For example, if the production environment adds a header named `X-Forwarded-Prot .Redirect to HTTPS when X-Forwarded ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -44,6 +58,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + redirectToHttps { + httpsRedirectWhen { + it.request.headers.containsKey("X-Forwarded-Proto") + } + } + } +} +---- ==== [[webflux-hsts]]