Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Allow disabling headers in Kotlin DSL

Closes gh-8816
Eleftheria Stein 5 years ago
parent
8e8a642e5a
commit
815ceae45c
2 changed files with 40 additions and 0 deletions
Split View Show Diff Stats
  1. 13 0
      config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt
  2. 27 0
      config/src/test/kotlin/org/springframework/security/config/web/servlet/HeadersDslTests.kt

+ 13 - 0
config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt
View File 

@@ -40,6 +40,7 @@ class HeadersDsl {
 
     private var contentSecurityPolicy: ((HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit)? = null
 
     private var referrerPolicy: ((HeadersConfigurer<HttpSecurity>.ReferrerPolicyConfig) -> Unit)? = null
 
     private var featurePolicyDirectives: String? = null
 
+    private var disabled = false
 
 
     var defaultsDisabled: Boolean? = null
 
 
@@ -161,6 +162,15 @@ class HeadersDsl {
 
         this.featurePolicyDirectives = policyDirectives
 
     }
 
 
+    /**
 
+     * Disable all HTTP security headers.
 
+     *
 
+     * @since 5.4
 
+     */
 
+    fun disable() {
 
+        disabled = true
 
+    }
 
+
 
     internal fun get(): (HeadersConfigurer<HttpSecurity>) -> Unit {
 
         return { headers ->
 
             defaultsDisabled?.also {
 
@@ -195,6 +205,9 @@ class HeadersDsl {
 
             featurePolicyDirectives?.also {
 
                 headers.featurePolicy(featurePolicyDirectives)
 
             }
 
+            if (disabled) {
 
+                headers.disable()
 
+            }
 
         }
 
     }
 
 }

+ 27 - 0
config/src/test/kotlin/org/springframework/security/config/web/servlet/HeadersDslTests.kt
View File 

@@ -91,4 +91,31 @@ class HeadersDslTests {
 
             }
 
         }
 
     }
 
+
 
+    @Test
 
+    fun `request when headers disabled then no security headers are in the response`() {
 
+        this.spring.register(HeadersDisabledConfig::class.java).autowire()
 
+
 
+        this.mockMvc.get("/")
 
+                .andExpect {
 
+                    header { doesNotExist(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS) }
 
+                    header { doesNotExist(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS) }
 
+                    header { doesNotExist(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY) }
 
+                    header { doesNotExist(HttpHeaders.CACHE_CONTROL) }
 
+                    header { doesNotExist(HttpHeaders.EXPIRES) }
 
+                    header { doesNotExist(HttpHeaders.PRAGMA) }
 
+                    header { doesNotExist(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION) }
 
+                }
 
+    }
 
+
 
+    @EnableWebSecurity
 
+    open class HeadersDisabledConfig : WebSecurityConfigurerAdapter() {
 
+        override fun configure(http: HttpSecurity) {
 
+            http {
 
+                headers {
 
+                    disable()
 
+                }
 
+            }
 
+        }
 
+    }
 
 }