Skip to content

Commit

Permalink
Allow configuring custom ServerHttpHeadersWriter for Kotlin DSL
Browse files Browse the repository at this point in the history 
Closes gh-16009
  • Loading branch information
@evgeniycheban
evgeniycheban committed Nov 20, 2024
1 parent 30c9860 commit b1f72a8
Show file tree
Hide file tree
Showing 4 changed files with 144 additions and 2 deletions.
36 changes: 36 additions & 0 deletions config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3212,6 +3212,18 @@ public HeaderSpec writer(ServerHttpHeadersWriter serverHttpHeadersWriter) {
return this;
}

/**
* Configures custom headers writer
* @param serverHttpHeadersWriterCustomizer the {@link Customizer} to provide more
* options for the {@link ServerHttpHeadersWriterSpec}
* @return the {@link HeaderSpec} to customize
*/
public HeaderSpec serverHttpHeadersWriter(
Customizer<ServerHttpHeadersWriterSpec> serverHttpHeadersWriterCustomizer) {
serverHttpHeadersWriterCustomizer.customize(new ServerHttpHeadersWriterSpec());
return this;
}

/**
* Configures the Strict Transport Security response headers
* @return the {@link HstsSpec} to configure
Expand Down Expand Up @@ -3896,6 +3908,30 @@ public HeaderSpec and() {

}

/**
* Configures {@link ServerHttpHeadersWriter}
*
* @author Evgeniy Cheban
* @see #serverHttpHeadersWriter(Customizer)
*/
public final class ServerHttpHeadersWriterSpec {

private ServerHttpHeadersWriterSpec() {
}

/**
* Configures custom headers writer
* @param writer the {@link ServerHttpHeadersWriter} to provide custom headers
* writer
* @return the {@link HeaderSpec} to customize
*/
public ServerHttpHeadersWriterSpec writer(ServerHttpHeadersWriter writer) {
HeaderSpec.this.writer(writer);
return this;
}

}

}

/**
Expand Down
16 changes: 15 additions & 1 deletion config/src/main/kotlin/org/springframework/security/config/web/server/ServerHeadersDsl.kt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -17,6 +17,7 @@
package org.springframework.security.config.web.server

import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter
import org.springframework.security.web.server.header.ServerHttpHeadersWriter
import org.springframework.security.web.server.header.ContentTypeOptionsServerHttpHeadersWriter
import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter
import org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter
Expand All @@ -43,6 +44,7 @@ class ServerHeadersDsl {
private var crossOriginOpenerPolicy: ((ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec) -> Unit)? = null
private var crossOriginEmbedderPolicy: ((ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec) -> Unit)? = null
private var crossOriginResourcePolicy: ((ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec) -> Unit)? = null
private var serverHttpHeadersWriter: ((ServerHttpSecurity.HeaderSpec.ServerHttpHeadersWriterSpec) -> Unit)? = null

private var disabled = false

Expand Down Expand Up @@ -198,6 +200,15 @@ class ServerHeadersDsl {
this.crossOriginResourcePolicy = ServerCrossOriginResourcePolicyDsl().apply(crossOriginResourcePolicyConfig).get()
}

/**
* Allows customizations for the [ServerHttpHeadersWriter] which allows writing headers just before the response is committed
*
* @param serverHttpHeadersWriterConfig the customization to apply to the header
*/
fun serverHttpHeadersWriter(serverHttpHeadersWriterConfig: ServerHttpHeadersWriterDsl.() -> Unit) {
this.serverHttpHeadersWriter = ServerHttpHeadersWriterDsl().apply(serverHttpHeadersWriterConfig).get()
}

/**
* Disables HTTP response headers.
*/
Expand Down Expand Up @@ -244,6 +255,9 @@ class ServerHeadersDsl {
crossOriginResourcePolicy?.also {
headers.crossOriginResourcePolicy(crossOriginResourcePolicy)
}
serverHttpHeadersWriter?.also {
headers.serverHttpHeadersWriter(serverHttpHeadersWriter)
}
if (disabled) {
headers.disable()
}
Expand Down
45 changes: 45 additions & 0 deletions .../main/kotlin/org/springframework/security/config/web/server/ServerHttpHeadersWriterDsl.kt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.springframework.security.config.web.server

import org.springframework.security.web.server.header.ServerHttpHeadersWriter

/**
* A Kotlin DSL to configure the [ServerHttpSecurity] to use custom [ServerHttpHeadersWriter] using
* idiomatic Kotlin code.
*
* @author Evgeniy Cheban
* @property writers the list of custom [ServerHttpHeadersWriter] to be used
*/
@ServerSecurityMarker
class ServerHttpHeadersWriterDsl {

var writers = mutableListOf<ServerHttpHeadersWriter>()

fun writer(writer: ServerHttpHeadersWriter) {
writers.add(writer)
}

internal fun get(): (ServerHttpSecurity.HeaderSpec.ServerHttpHeadersWriterSpec) -> Unit {
return { writerOptions ->
writers?.also {
writers.forEach { writer -> writerOptions.writer(writer) }
}
}
}

}
49 changes: 48 additions & 1 deletion ...g/src/test/kotlin/org/springframework/security/config/web/server/ServerHeadersDslTests.kt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -37,6 +37,7 @@ import org.springframework.security.web.server.header.XFrameOptionsServerHttpHea
import org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter
import org.springframework.test.web.reactive.server.WebTestClient
import org.springframework.web.reactive.config.EnableWebFlux
import reactor.core.publisher.Mono

/**
* Tests for [ServerHeadersDsl]
Expand Down Expand Up @@ -198,4 +199,50 @@ class ServerHeadersDslTests {
}
}
}

@Test
fun `request when custom server http headers writer configured then custom http headers added`() {
this.spring.register(ServerHttpHeadersWriterCustomConfig::class.java).autowire()

this.client.get()
.uri("/")
.exchange()
.expectHeader().valueEquals("CUSTOM-HEADER-1", "CUSTOM-VALUE-1")
.expectHeader().valueEquals("CUSTOM-HEADER-2", "CUSTOM-VALUE-2")
}

@Configuration
@EnableWebFluxSecurity
@EnableWebFlux
open class ServerHttpHeadersWriterCustomConfig {
@Bean
open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
headers {
serverHttpHeadersWriter {
writer { exchange ->
Mono.just(exchange)
.doOnNext {
it.response.headers.add(
"CUSTOM-HEADER-1",
"CUSTOM-VALUE-1"
)
}
.then()
}
writer { exchange ->
Mono.just(exchange)
.doOnNext {
it.response.headers.add(
"CUSTOM-HEADER-2",
"CUSTOM-VALUE-2"
)
}
.then()
}
}
}
}
}
}
}

0 comments on commit b1f72a8

Please sign in to comment.