This is an automated email from the ASF dual-hosted git repository. fpapon pushed a commit to branch 1.7.x in repository https://gitbox.apache.org/repos/asf/shiro.git
commit 434c86bd5d486710feddf79601fff35fec8e9378 Author: Björn Raupach <[email protected]> AuthorDate: Sun Jan 15 13:02:32 2017 +0100 Added SslFilterTest Naming of variables --- .../apache/shiro/web/filter/authz/SslFilter.java | 34 ++++++++--- .../shiro/web/filter/authz/SslFilterTest.java | 66 ++++++++++++++++++++++ 2 files changed, 91 insertions(+), 9 deletions(-) diff --git a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java index d85bb23..a5e9dde 100644 --- a/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java +++ b/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java @@ -36,7 +36,11 @@ import javax.servlet.http.HttpServletResponse; * will prevent <b>any</b> communications from being sent over HTTP to the * specified domain and will instead send all communications over HTTPS. * </p> - * <b>Warning:</b> Use this setting only if you plan to enable SSL on every path. + * The {@link #getMaxAge() maxAge} property defaults {@code 31536000}, and + * {@link #isIncludeSubDomains includeSubDomains} is {@code false}. + * </p> + * <b>Warning:</b> Use this setting with care and only if you plan to enable + * SSL on every path. * </p> * Example configs: * <pre> @@ -100,31 +104,44 @@ public class SslFilter extends PortFilter { return super.isAccessAllowed(request, response, mappedValue) && request.isSecure(); } + /** + * If HTTP Strict Transport Security (HSTS) is enabled the HTTP header + * will be written, otherwise this method does nothing. + * @param request the incoming {@code ServletRequest} + * @param response the outgoing {@code ServletResponse} + */ @Override - protected void postHandle(ServletRequest request, ServletResponse response) throws Exception { + protected void postHandle(ServletRequest request, ServletResponse response) { if (hsts.enabled) { - StringBuilder directives = new StringBuilder(64); - directives.append("max-age=").append(hsts.getMaxAge()); + StringBuilder directives = new StringBuilder(64) + .append("max-age=").append(hsts.getMaxAge()); + if (hsts.includeSubDomains) { directives.append("; includeSubDomains"); } + HttpServletResponse resp = (HttpServletResponse) response; - resp.addHeader("Strict-Transport-Security", directives.toString()); + resp.addHeader(HSTS.HTTP_HEADER, directives.toString()); } } + /** + * Helper class for HTTP Strict Transport Security (HSTS) + */ public class HSTS { - static final boolean DEFAULT_ENABLED = false; - public static final int DEFAULT_EXPIRE_TIME = 31536000; // approx. one year in seconds + public static final boolean DEFAULT_ENABLED = false; + public static final int DEFAULT_MAX_AGE = 31536000; // approx. one year in seconds public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false; + public static final String HTTP_HEADER = "Strict-Transport-Security"; + private boolean enabled; private int maxAge; private boolean includeSubDomains; public HSTS() { - this.maxAge = DEFAULT_EXPIRE_TIME; + this.maxAge = DEFAULT_MAX_AGE; this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS; } @@ -151,6 +168,5 @@ public class SslFilter extends PortFilter { public void setIncludeSubDomains(boolean includeSubDomains) { this.includeSubDomains = includeSubDomains; } - } } diff --git a/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java new file mode 100644 index 0000000..4136329 --- /dev/null +++ b/web/src/test/java/org/apache/shiro/web/filter/authz/SslFilterTest.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.shiro.web.filter.authz; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.junit.Test; + +import static org.apache.shiro.web.filter.authz.SslFilter.HSTS.*; +import static org.easymock.EasyMock.*; +import static org.junit.Assert.*; + +public class SslFilterTest { + + @Test + public void testDisabledByDefault() { + HttpServletRequest request = createNiceMock(HttpServletRequest.class); + HttpServletResponse response = createNiceMock(HttpServletResponse.class); + + SslFilter sslFilter = new SslFilter(); + + sslFilter.postHandle(request, response); + assertNull(response.getHeader(HTTP_HEADER)); + } + + @Test + public void testDefaultValues() { + HttpServletRequest request = createNiceMock(HttpServletRequest.class); + HttpServletResponse response = createNiceMock(HttpServletResponse.class); + +// String expected = new StringBuilder() +// .append(HTTP_HEADER) +// .append(": ") +// .append("max-age=") +// .append(DEFAULT_MAX_AGE) +// .toString(); +// expect(response.addHeader(expected, expected)) +// .andReturn(expected) +// .anyTimes(); + replay(response); +// + SslFilter sslFilter = new SslFilter(); + sslFilter.getHsts().setEnabled(true); + + sslFilter.postHandle(request, response); + + //assertEquals(expected, response.getHeader(HTTP_HEADER)); + } + +}
