spring security ClearSiteDataHeaderWriter 源码

  • 2022-08-13
  • 浏览 (705)

spring security ClearSiteDataHeaderWriter 代码

文件路径:/web/src/main/java/org/springframework/security/web/header/writers/ClearSiteDataHeaderWriter.java

/*
 * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web.header.writers;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.springframework.core.log.LogMessage;
import org.springframework.security.web.header.HeaderWriter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/**
 * Provides support for <a href="https://w3c.github.io/webappsec-clear-site-data/">Clear
 * Site Data</a>.
 *
 * <p>
 * Developers may instruct a user agent to clear various types of relevant data by
 * delivering a Clear-Site-Data HTTP response header in response to a request.
 * <p>
 *
 * <p>
 * Due to <a href="https://w3c.github.io/webappsec-clear-site-data/#incomplete">Incomplete
 * Clearing</a> section the header is only applied if the request is secure.
 * </p>
 *
 * @author Rafiullah Hamedy
 * @since 5.2
 */
public final class ClearSiteDataHeaderWriter implements HeaderWriter {

	private static final String CLEAR_SITE_DATA_HEADER = "Clear-Site-Data";

	private final Log logger = LogFactory.getLog(getClass());

	private final RequestMatcher requestMatcher;

	private String headerValue;

	/**
	 * <p>
	 * Creates a new instance of {@link ClearSiteDataHeaderWriter} with given sources. The
	 * constructor also initializes <b>requestMatcher</b> with a new instance of
	 * <b>SecureRequestMatcher</b> to ensure that header is only applied if and when the
	 * request is secure as per the <b>Incomplete Clearing</b> section.
	 * </p>
	 * @param directives (i.e. "cache", "cookies", "storage", "executionContexts" or "*")
	 * @throws IllegalArgumentException if sources is null or empty.
	 */
	public ClearSiteDataHeaderWriter(Directive... directives) {
		Assert.notEmpty(directives, "directives cannot be empty or null");
		this.requestMatcher = new SecureRequestMatcher();
		this.headerValue = transformToHeaderValue(directives);
	}

	@Override
	public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
		if (this.requestMatcher.matches(request)) {
			if (!response.containsHeader(CLEAR_SITE_DATA_HEADER)) {
				response.setHeader(CLEAR_SITE_DATA_HEADER, this.headerValue);
			}
		}
		this.logger.debug(
				LogMessage.format("Not injecting Clear-Site-Data header since it did not match the requestMatcher %s",
						this.requestMatcher));
	}

	private String transformToHeaderValue(Directive... directives) {
		StringBuilder sb = new StringBuilder();
		for (int i = 0; i < directives.length - 1; i++) {
			sb.append(directives[i].headerValue).append(", ");
		}
		sb.append(directives[directives.length - 1].headerValue);
		return sb.toString();
	}

	@Override
	public String toString() {
		return getClass().getName() + " [headerValue=" + this.headerValue + "]";
	}

	/**
	 * Represents the directive values expected by the {@link ClearSiteDataHeaderWriter}.
	 */
	public enum Directive {

		CACHE("cache"),

		COOKIES("cookies"),

		STORAGE("storage"),

		EXECUTION_CONTEXTS("executionContexts"),

		ALL("*");

		private final String headerValue;

		Directive(String headerValue) {
			this.headerValue = "\"" + headerValue + "\"";
		}

		public String getHeaderValue() {
			return this.headerValue;
		}

	}

	private static final class SecureRequestMatcher implements RequestMatcher {

		@Override
		public boolean matches(HttpServletRequest request) {
			return request.isSecure();
		}

		@Override
		public String toString() {
			return "Is Secure";
		}

	}

}

相关信息

spring security 源码目录

相关文章

spring security CacheControlHeadersWriter 源码

spring security CompositeHeaderWriter 源码

spring security ContentSecurityPolicyHeaderWriter 源码

spring security CrossOriginEmbedderPolicyHeaderWriter 源码

spring security CrossOriginOpenerPolicyHeaderWriter 源码

spring security CrossOriginResourcePolicyHeaderWriter 源码

spring security DelegatingRequestMatcherHeaderWriter 源码

spring security FeaturePolicyHeaderWriter 源码

spring security HpkpHeaderWriter 源码

spring security HstsHeaderWriter 源码

0  赞
  • 所属分类: 后端技术
  • 本文标签: Spring Java
  • 版权声明: 原创文章如转载,请注明本文链接: https://m.seaxiang.com/blog/b337308c191e4c298d98a9f41aaf9c80
热门推荐
标签云
Linux Java Spring Spring Boot docker 大数据 前端 生活 maven golang 软件 spring cloud fintech mac vscode 其他 区块链 以太坊 V神 开发者 技术 股票 git greenplum 分布式事务 chrome mysql flink kafka 设计模式 原理 鸿蒙 seo
最新文章
本文目录