View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.myfaces.tobago.internal.util;
21  
22  import org.apache.myfaces.tobago.context.TobagoContext;
23  import org.apache.myfaces.tobago.context.UserAgent;
24  import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
25  import org.apache.myfaces.tobago.internal.context.Nonce;
26  import org.apache.myfaces.tobago.portlet.PortletUtils;
27  import org.slf4j.Logger;
28  import org.slf4j.LoggerFactory;
29  
30  import javax.faces.context.FacesContext;
31  import javax.portlet.MimeResponse;
32  import javax.servlet.http.HttpServletResponse;
33  import java.lang.invoke.MethodHandles;
34  import java.util.Map;
35  
36  public final class ResponseUtils {
37  
38    private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
39  
40    private ResponseUtils() {
41      // utils class
42    }
43  
44    public static void ensureNoCacheHeader(final FacesContext facesContext) {
45      final Object response = facesContext.getExternalContext().getResponse();
46      if (response instanceof HttpServletResponse) {
47        ensureNoCacheHeader((HttpServletResponse) response);
48      } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
49        ensureNoCacheHeader((MimeResponse) response);
50      }
51    }
52  
53    public static void ensureNoCacheHeader(final HttpServletResponse response) {
54      response.setHeader("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate");
55      response.setHeader("Pragma", "no-cache");
56      response.setDateHeader("Expires", 0);
57      response.setDateHeader("max-age", 0);
58    }
59  
60    public static void ensureNoCacheHeader(final MimeResponse response) {
61      // TODO validate this
62      response.getCacheControl().setExpirationTime(0);
63    }
64  
65    public static void ensureContentTypeHeader(final FacesContext facesContext, final String contentType) {
66      final Object response = facesContext.getExternalContext().getResponse();
67      if (response instanceof HttpServletResponse) {
68        ensureContentTypeHeader((HttpServletResponse) response, contentType);
69      } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
70        ensureContentTypeHeader((MimeResponse) response, contentType);
71      }
72    }
73  
74    public static void ensureContentTypeHeader(final HttpServletResponse response, final String contentType) {
75      if (!response.containsHeader("Content-Type")) {
76        response.setContentType(contentType);
77      } else {
78        final String responseContentType = response.getContentType();
79        if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
80          response.setContentType(contentType);
81          if (LOG.isDebugEnabled()) {
82            LOG.debug("Response already contains Header Content-Type '" + responseContentType
83                + "'. Overwriting with '" + contentType + "'");
84          }
85        }
86      }
87    }
88  
89    public static void ensureContentTypeHeader(final MimeResponse response, final String contentType) {
90      final String responseContentType = response.getContentType();
91      if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
92        response.setContentType(contentType);
93        if (LOG.isDebugEnabled()) {
94          LOG.debug("Response already contains Header Content-Type '" + responseContentType
95              + "'. Overwriting with '" + contentType + "'");
96        }
97      }
98    }
99  
100   public static void ensureContentSecurityPolicyHeader(
101       final FacesContext facesContext, final ContentSecurityPolicy contentSecurityPolicy) {
102     final Object response = facesContext.getExternalContext().getResponse();
103     if (response instanceof HttpServletResponse) {
104       final HttpServletResponse servletResponse = (HttpServletResponse) response;
105       final TobagoContext tobagoContext = TobagoContext.getInstance(facesContext);
106       final UserAgent userAgent = tobagoContext.getUserAgent();
107       final String[] cspHeaders;
108       switch (contentSecurityPolicy.getMode()) {
109         case OFF:
110           cspHeaders = new String[0];
111           break;
112         case ON:
113           cspHeaders = userAgent.getCspHeaders();
114           break;
115         case REPORT_ONLY:
116           cspHeaders = userAgent.getCspReportOnlyHeaders();
117           break;
118         default:
119           throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
120       }
121       final StringBuilder builder = new StringBuilder();
122       final String nonce = Nonce.getNonce(facesContext);
123       for (final Map.Entry<String, String> directive : contentSecurityPolicy.getDirectiveMap().entrySet()) {
124         builder.append(directive.getKey());
125         builder.append(" ");
126         builder.append(directive.getValue().replace("${nonce}", nonce));
127         builder.append(";");
128       }
129       for (final String cspHeader : cspHeaders) {
130         servletResponse.setHeader(cspHeader, builder.toString());
131       }
132     } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
133      // TODO Portlet
134       if (contentSecurityPolicy.getMode() != ContentSecurityPolicy.Mode.OFF) {
135         LOG.warn("CSP not implemented for Portlet!");
136       }
137     }
138   }
139 
140   public static void ensureNosniffHeader(final FacesContext facesContext) {
141     final Object response = facesContext.getExternalContext().getResponse();
142     if (response instanceof HttpServletResponse) {
143       final HttpServletResponse servletResponse = (HttpServletResponse) response;
144       ensureNosniffHeader(servletResponse);
145     }
146   }
147 
148   public static void ensureNosniffHeader(final HttpServletResponse servletResponse) {
149     servletResponse.setHeader("X-Content-Type-Options", "nosniff");
150   }
151 
152   public static void ensureXFrameOptionsHeader(final FacesContext facesContext) {
153     final Object response = facesContext.getExternalContext().getResponse();
154     if (response instanceof HttpServletResponse) {
155       ((HttpServletResponse) response).setHeader("X-Frame-Options", "DENY");
156     }
157   }
158 }