Polish filter chain config for CSP

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>

Author: ziqin

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -280,18 +280,7 @@ public HeadersConfigurer<H> defaultsDisabled() {
 	public void configure(H http) {
 		HeaderWriterFilter headersFilter = createHeaderWriterFilter();
 		http.addFilter(headersFilter);
-		configureCspNonceGeneratingFilter(http);
-	}
-
-	private void configureCspNonceGeneratingFilter(H http) {
-		ContentSecurityPolicyHeaderWriter writer = this.contentSecurityPolicy.writer;
-		if (writer != null && writer.isNonceBased()) {
-			ContentSecurityPolicyNonceGeneratingFilter filter = new ContentSecurityPolicyNonceGeneratingFilter();
-			if (this.contentSecurityPolicy.nonceAttributeName != null) {
-				filter.setAttributeName(this.contentSecurityPolicy.nonceAttributeName);
-			}
-			http.addFilterBefore(filter, HeaderWriterFilter.class);
-		}
+		http.addFilterBefore(this.contentSecurityPolicy.getNonceGeneratingFilter(), HeaderWriterFilter.class);
 	}
 
 	/**
@@ -1047,6 +1036,14 @@ HeaderWriter getWriter() {
 			return this.writer;
 		}
 
+		ContentSecurityPolicyNonceGeneratingFilter getNonceGeneratingFilter() {
+			var filter = new ContentSecurityPolicyNonceGeneratingFilter();
+			if (this.nonceAttributeName != null) {
+				filter.setAttributeName(this.nonceAttributeName);
+			}
+			return filter;
+		}
+
 	}
 
 	public final class ReferrerPolicyConfig {

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -34,9 +34,11 @@
 import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Supplier;
+import java.util.stream.Stream;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.jspecify.annotations.Nullable;
 import reactor.core.publisher.Mono;
 import reactor.util.context.Context;
 
@@ -2460,8 +2462,6 @@ protected void configure(ServerHttpSecurity http) {
 	 */
 	public final class HeaderSpec {
 
-		private final List<ServerHttpHeadersWriter> writers;
-
 		private CacheControlServerHttpHeadersWriter cacheControl = new CacheControlServerHttpHeadersWriter();
 
 		private ContentTypeOptionsServerHttpHeadersWriter contentTypeOptions = new ContentTypeOptionsServerHttpHeadersWriter();
@@ -2476,7 +2476,7 @@ public final class HeaderSpec {
 
 		private PermissionsPolicyServerHttpHeadersWriter permissionsPolicy = new PermissionsPolicyServerHttpHeadersWriter();
 
-		private ContentSecurityPolicyServerHttpHeadersWriter contentSecurityPolicy = new ContentSecurityPolicyServerHttpHeadersWriter();
+		private ContentSecurityPolicySpec contentSecurityPolicy = new ContentSecurityPolicySpec();
 
 		private ReferrerPolicyServerHttpHeadersWriter referrerPolicy = new ReferrerPolicyServerHttpHeadersWriter();
 
@@ -2486,13 +2486,9 @@ public final class HeaderSpec {
 
 		private CrossOriginResourcePolicyServerHttpHeadersWriter crossOriginResourcePolicy = new CrossOriginResourcePolicyServerHttpHeadersWriter();
 
-		private final ContentSecurityPolicyNonceGeneratingWebFilter nonceGeneratingFilter = new ContentSecurityPolicyNonceGeneratingWebFilter();
+		private List<ServerHttpHeadersWriter> customHeadersWriters = new ArrayList<>();
 
 		private HeaderSpec() {
-			this.writers = new ArrayList<>(Arrays.asList(this.cacheControl, this.contentTypeOptions, this.hsts,
-					this.frameOptions, this.xss, this.featurePolicy, this.permissionsPolicy, this.contentSecurityPolicy,
-					this.referrerPolicy, this.crossOriginOpenerPolicy, this.crossOriginEmbedderPolicy,
-					this.crossOriginResourcePolicy));
 		}
 
 		/**
@@ -2546,7 +2542,7 @@ public HeaderSpec frameOptions(Customizer<FrameOptionsSpec> frameOptionsCustomiz
 		 */
 		public HeaderSpec writer(ServerHttpHeadersWriter serverHttpHeadersWriter) {
 			Assert.notNull(serverHttpHeadersWriter, "serverHttpHeadersWriter cannot be null");
-			this.writers.add(serverHttpHeadersWriter);
+			this.customHeadersWriters.add(serverHttpHeadersWriter);
 			return this;
 		}
 
@@ -2562,12 +2558,18 @@ public HeaderSpec hsts(Customizer<HstsSpec> hstsCustomizer) {
 		}
 
 		protected void configure(ServerHttpSecurity http) {
-			ServerHttpHeadersWriter writer = new CompositeServerHttpHeadersWriter(this.writers);
+			Stream<ServerHttpHeadersWriter> builtInWriters = Stream
+				.of(this.cacheControl, this.contentTypeOptions, this.hsts, this.frameOptions, this.xss,
+						this.featurePolicy, this.permissionsPolicy, this.contentSecurityPolicy.getWriter(),
+						this.referrerPolicy, this.crossOriginOpenerPolicy, this.crossOriginEmbedderPolicy,
+						this.crossOriginResourcePolicy)
+				.filter(Objects::nonNull);
+			ServerHttpHeadersWriter writer = new CompositeServerHttpHeadersWriter(
+					Stream.concat(builtInWriters, this.customHeadersWriters.stream()).toList());
 			HttpHeaderWriterWebFilter result = new HttpHeaderWriterWebFilter(writer);
 			http.addFilterAt(result, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
-			if (this.contentSecurityPolicy.isNonceBased()) {
-				http.addFilterBefore(this.nonceGeneratingFilter, SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
-			}
+			http.addFilterBefore(this.contentSecurityPolicy.getNonceGeneratingFilter(),
+					SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
 		}
 
 		/**
@@ -2588,7 +2590,7 @@ public HeaderSpec xssProtection(Customizer<XssProtectionSpec> xssProtectionCusto
 		 * @return the {@link HeaderSpec} to customize
 		 */
 		public HeaderSpec contentSecurityPolicy(Customizer<ContentSecurityPolicySpec> contentSecurityPolicyCustomizer) {
-			contentSecurityPolicyCustomizer.customize(new ContentSecurityPolicySpec());
+			contentSecurityPolicyCustomizer.customize(this.contentSecurityPolicy);
 			return this;
 		}
 
@@ -2683,7 +2685,7 @@ private CacheSpec() {
 			 * @return the {@link HeaderSpec} to configure
 			 */
 			public HeaderSpec disable() {
-				HeaderSpec.this.writers.remove(HeaderSpec.this.cacheControl);
+				HeaderSpec.this.cacheControl = null;
 				return HeaderSpec.this;
 			}
 
@@ -2704,7 +2706,7 @@ private ContentTypeOptionsSpec() {
 			 * @return the {@link HeaderSpec} to configure
 			 */
 			public HeaderSpec disable() {
-				HeaderSpec.this.writers.remove(HeaderSpec.this.contentTypeOptions);
+				HeaderSpec.this.contentTypeOptions = null;
 				return HeaderSpec.this;
 			}
 
@@ -2736,7 +2738,7 @@ public HeaderSpec mode(XFrameOptionsServerHttpHeadersWriter.Mode mode) {
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec disable() {
-				HeaderSpec.this.writers.remove(HeaderSpec.this.frameOptions);
+				HeaderSpec.this.frameOptions = null;
 				return HeaderSpec.this;
 			}
 
@@ -2795,7 +2797,7 @@ public HstsSpec preload(boolean preload) {
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec disable() {
-				HeaderSpec.this.writers.remove(HeaderSpec.this.hsts);
+				HeaderSpec.this.hsts = null;
 				return HeaderSpec.this;
 			}
 
@@ -2816,7 +2818,7 @@ private XssProtectionSpec() {
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec disable() {
-				HeaderSpec.this.writers.remove(HeaderSpec.this.xss);
+				HeaderSpec.this.xss = null;
 				return HeaderSpec.this;
 			}
 
@@ -2844,8 +2846,14 @@ public final class ContentSecurityPolicySpec {
 
 			private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
 
+			private final ContentSecurityPolicyServerHttpHeadersWriter writer = new ContentSecurityPolicyServerHttpHeadersWriter();
+
+			private @Nullable String nonceAttributeName;
+
+			private @Nullable ServerWebExchangeMatcher exchangeMatcher;
+
 			private ContentSecurityPolicySpec() {
-				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(DEFAULT_SRC_SELF_POLICY);
+				this.writer.setPolicyDirectives(DEFAULT_SRC_SELF_POLICY);
 			}
 
 			/**
@@ -2856,7 +2864,7 @@ private ContentSecurityPolicySpec() {
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec reportOnly(boolean reportOnly) {
-				HeaderSpec.this.contentSecurityPolicy.setReportOnly(reportOnly);
+				this.writer.setReportOnly(reportOnly);
 				return HeaderSpec.this;
 			}
 
@@ -2869,7 +2877,7 @@ public HeaderSpec reportOnly(boolean reportOnly) {
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec policyDirectives(String policyDirectives) {
-				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
+				this.writer.setPolicyDirectives(policyDirectives);
 				return HeaderSpec.this;
 			}
 
@@ -2884,7 +2892,8 @@ public HeaderSpec policyDirectives(String policyDirectives) {
 			 * @since 7.1
 			 */
 			public ContentSecurityPolicySpec nonceAttributeName(String nonceAttributeName) {
-				HeaderSpec.this.nonceGeneratingFilter.setAttributeName(nonceAttributeName);
+				Assert.hasLength(nonceAttributeName, "NonceAttributeName must not be null or empty");
+				this.nonceAttributeName = nonceAttributeName;
 				return this;
 			}
 
@@ -2903,11 +2912,8 @@ public ContentSecurityPolicySpec nonceAttributeName(String nonceAttributeName) {
 			 */
 			public ContentSecurityPolicySpec exchangeMatcher(ServerWebExchangeMatcher matcher) {
 				Assert.notNull(matcher, "Matcher must not be null");
-				// Replace the CSP writer in the list with a matcher-decorated writer
-				int idx = HeaderSpec.this.writers.indexOf(HeaderSpec.this.contentSecurityPolicy);
-				Assert.state(idx >= 0, "ExchangeMatcher(s) is already configured");
-				HeaderSpec.this.writers.set(idx, new ServerWebExchangeDelegatingServerHttpHeadersWriter(matcher,
-						HeaderSpec.this.contentSecurityPolicy));
+				Assert.state(this.exchangeMatcher == null, "ExchangeMatcher(s) is already configured");
+				this.exchangeMatcher = matcher;
 				return this;
 			}
 
@@ -2930,8 +2936,19 @@ public ContentSecurityPolicySpec exchangeMatchers(String... pathPatterns) {
 				return this.exchangeMatcher(ServerWebExchangeMatchers.pathMatchers(pathPatterns));
 			}
 
-			private ContentSecurityPolicySpec(String policyDirectives) {
-				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
+			ServerHttpHeadersWriter getWriter() {
+				if (this.exchangeMatcher != null) {
+					return new ServerWebExchangeDelegatingServerHttpHeadersWriter(this.exchangeMatcher, this.writer);
+				}
+				return this.writer;
+			}
+
+			ContentSecurityPolicyNonceGeneratingWebFilter getNonceGeneratingFilter() {
+				var filter = new ContentSecurityPolicyNonceGeneratingWebFilter();
+				if (this.nonceAttributeName != null) {
+					filter.setAttributeName(this.nonceAttributeName);
+				}
+				return filter;
 			}
 
 		}