Skip to content

Commit b250671

Browse files
committed
Add CspFilter
1 parent cb54c60 commit b250671

4 files changed

Lines changed: 114 additions & 35 deletions

File tree

knowage-core/src/main/java/it/eng/spagobi/commons/filters/ProfileFilter.java

Lines changed: 0 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -21,14 +21,8 @@
2121
import static java.util.Objects.isNull;
2222
import static org.apache.commons.lang3.StringUtils.isEmpty;
2323

24-
import java.io.File;
2524
import java.io.IOException;
2625
import java.net.URLEncoder;
27-
import java.nio.charset.StandardCharsets;
28-
import java.nio.file.Files;
29-
import java.nio.file.Paths;
30-
import java.util.Base64;
31-
import java.util.UUID;
3226

3327
import javax.servlet.Filter;
3428
import javax.servlet.FilterChain;
@@ -57,7 +51,6 @@
5751
import it.eng.spagobi.commons.services.LoginModule;
5852
import it.eng.spagobi.commons.utilities.ChannelUtilities;
5953
import it.eng.spagobi.commons.utilities.GeneralUtilities;
60-
import it.eng.spagobi.commons.utilities.SpagoBIUtilities;
6154
import it.eng.spagobi.services.common.SsoServiceFactory;
6255
import it.eng.spagobi.services.common.SsoServiceInterface;
6356
import it.eng.spagobi.services.security.bo.SpagoBIUserProfile;
@@ -77,8 +70,6 @@ public class ProfileFilter implements Filter {
7770

7871
private static final Logger LOGGER = LogManager.getLogger(ProfileFilter.class);
7972

80-
private static final String FILE_CSP = "csp.txt";
81-
8273
@Override
8374
public void destroy() {
8475
// do nothing
@@ -93,8 +84,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
9384
HttpServletResponse httpResponse = (HttpServletResponse) response;
9485
HttpSession session = httpRequest.getSession();
9586

96-
this.setCspNonse(httpRequest, httpResponse);
97-
9887
// @formatter:off
9988
// TODO ML RequestContainer requestContainer = (RequestContainer) session
10089
// TODO ML .getAttribute(Constants.REQUEST_CONTAINER);
@@ -228,30 +217,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
228217
}
229218
}
230219

231-
private void setCspNonse(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
232-
233-
String cspFilePath = SpagoBIUtilities.getRootResourcePath() + File.separator + FILE_CSP;
234-
235-
File cspFile = new File(cspFilePath);
236-
if (!cspFile.exists()) {
237-
return;
238-
}
239-
240-
String cspPolicy = new String(Files.readAllBytes(Paths.get(cspFilePath)), StandardCharsets.UTF_8);
241-
242-
// Generate a secure random nonce
243-
String nonce = Base64.getEncoder().encodeToString(UUID.randomUUID().toString().getBytes());
244-
// Store the nonce in the request so it can be used in JSP or templates
245-
httpRequest.setAttribute("cspNonce", nonce);
246-
247-
// Replace the placeholder with the actual nonce
248-
cspPolicy = cspPolicy.replace("rAnd0m", nonce);
249-
250-
// Set the updated CSP header in the response
251-
httpResponse.setHeader("Content-Security-Policy", cspPolicy);
252-
253-
}
254-
255220
private boolean requestIsForHomePage(HttpServletRequest request) {
256221
// returns true in case request has PAGE=LoginPage parameter, false otherwise
257222
return request.getParameter(Constants.PAGE) != null

knowage/src/main/webapp/WEB-INF/web.xml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,19 @@
6565
<dispatcher>REQUEST</dispatcher>
6666
<dispatcher>FORWARD</dispatcher>
6767
</filter-mapping>
68+
69+
<!-- CSP FILTER -->
70+
<filter>
71+
<filter-name>CspFilter</filter-name>
72+
<filter-class>it.eng.spagobi.security.utils.CspFilter</filter-class>
73+
</filter>
74+
75+
<filter-mapping>
76+
<filter-name>CspFilter</filter-name>
77+
<url-pattern>/*</url-pattern>
78+
<dispatcher>REQUEST</dispatcher>
79+
<dispatcher>FORWARD</dispatcher>
80+
</filter-mapping>
6881

6982
<!--
7083
<servlet>
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
package it.eng.spagobi.security.utils;
2+
3+
import java.io.IOException;
4+
import java.util.Base64;
5+
import java.util.UUID;
6+
7+
import javax.servlet.Filter;
8+
import javax.servlet.FilterChain;
9+
import javax.servlet.FilterConfig;
10+
import javax.servlet.ServletException;
11+
import javax.servlet.ServletRequest;
12+
import javax.servlet.ServletResponse;
13+
import javax.servlet.http.HttpServletRequest;
14+
import javax.servlet.http.HttpServletResponse;
15+
16+
import it.eng.spagobi.utilities.csp.CSPSingleton;
17+
18+
public class CspFilter implements Filter {
19+
20+
@Override
21+
public void init(FilterConfig filterConfig) throws ServletException {
22+
// TODO document why this method is empty
23+
}
24+
25+
@Override
26+
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
27+
String cspPolicy = CSPSingleton.getInstance().getCspPolicy();
28+
if (cspPolicy != null) {
29+
HttpServletRequest httpRequest = (HttpServletRequest) request;
30+
HttpServletResponse httpResponse = (HttpServletResponse) response;
31+
32+
// Generate a secure random nonce
33+
String nonce = Base64.getEncoder().encodeToString(UUID.randomUUID().toString().getBytes());
34+
// Store the nonce in the request so it can be used in JSP or templates
35+
httpRequest.setAttribute("cspNonce", nonce);
36+
37+
// Replace the placeholder with the actual nonce
38+
String updatedPolicy = cspPolicy.replace("rAnd0m", nonce);
39+
40+
// Set the updated CSP header in the response
41+
httpResponse.setHeader("Content-Security-Policy", updatedPolicy);
42+
}
43+
chain.doFilter(request, response);
44+
}
45+
46+
@Override
47+
public void destroy() {
48+
// TODO document why this method is empty
49+
}
50+
51+
}
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
package it.eng.spagobi.utilities.csp;
2+
3+
import java.io.File;
4+
import java.io.IOException;
5+
import java.nio.charset.StandardCharsets;
6+
import java.nio.file.Files;
7+
import java.nio.file.Paths;
8+
9+
import org.apache.logging.log4j.LogManager;
10+
import org.apache.logging.log4j.Logger;
11+
12+
import it.eng.spagobi.commons.utilities.SpagoBIUtilities;
13+
14+
public class CSPSingleton {
15+
16+
private static final Logger LOGGER = LogManager.getLogger(CSPSingleton.class);
17+
18+
private static CSPSingleton instance;
19+
private String cspPolicy;
20+
private static final String FILE_CSP = "security-policy.csp";
21+
22+
private CSPSingleton() {
23+
24+
String cspFilePath = SpagoBIUtilities.getRootResourcePath() + File.separator + FILE_CSP;
25+
File cspFile = new File(cspFilePath);
26+
if (!cspFile.exists()) {
27+
cspPolicy = null;
28+
LOGGER.warn("File " + FILE_CSP + " not found");
29+
} else {
30+
try {
31+
cspPolicy = new String(Files.readAllBytes(Paths.get(cspFilePath)), StandardCharsets.UTF_8);
32+
} catch (IOException e) {
33+
LOGGER.warn("File " + FILE_CSP + " error reading");
34+
}
35+
}
36+
37+
}
38+
39+
public static synchronized CSPSingleton getInstance() {
40+
if (instance == null) {
41+
instance = new CSPSingleton();
42+
}
43+
return instance;
44+
}
45+
46+
public String getCspPolicy() {
47+
return cspPolicy;
48+
}
49+
50+
}

0 commit comments

Comments
 (0)