1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.myfaces.tobago.internal.util;
21
22 import org.apache.myfaces.tobago.context.TobagoContext;
23 import org.apache.myfaces.tobago.context.UserAgent;
24 import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
25 import org.apache.myfaces.tobago.internal.context.Nonce;
26 import org.apache.myfaces.tobago.portlet.PortletUtils;
27 import org.slf4j.Logger;
28 import org.slf4j.LoggerFactory;
29
30 import javax.faces.context.FacesContext;
31 import javax.portlet.MimeResponse;
32 import javax.servlet.http.HttpServletResponse;
33 import java.lang.invoke.MethodHandles;
34 import java.util.Map;
35
36 public final class ResponseUtils {
37
38 private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
39
40 private ResponseUtils() {
41
42 }
43
44 public static void ensureNoCacheHeader(final FacesContext facesContext) {
45 final Object response = facesContext.getExternalContext().getResponse();
46 if (response instanceof HttpServletResponse) {
47 ensureNoCacheHeader((HttpServletResponse) response);
48 } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
49 ensureNoCacheHeader((MimeResponse) response);
50 }
51 }
52
53 public static void ensureNoCacheHeader(final HttpServletResponse response) {
54 response.setHeader("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate");
55 response.setHeader("Pragma", "no-cache");
56 response.setDateHeader("Expires", 0);
57 response.setDateHeader("max-age", 0);
58 }
59
60 public static void ensureNoCacheHeader(final MimeResponse response) {
61
62 response.getCacheControl().setExpirationTime(0);
63 }
64
65 public static void ensureContentTypeHeader(final FacesContext facesContext, final String contentType) {
66 final Object response = facesContext.getExternalContext().getResponse();
67 if (response instanceof HttpServletResponse) {
68 ensureContentTypeHeader((HttpServletResponse) response, contentType);
69 } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
70 ensureContentTypeHeader((MimeResponse) response, contentType);
71 }
72 }
73
74 public static void ensureContentTypeHeader(final HttpServletResponse response, final String contentType) {
75 if (!response.containsHeader("Content-Type")) {
76 response.setContentType(contentType);
77 } else {
78 final String responseContentType = response.getContentType();
79 if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
80 response.setContentType(contentType);
81 if (LOG.isDebugEnabled()) {
82 LOG.debug("Response already contains Header Content-Type '" + responseContentType
83 + "'. Overwriting with '" + contentType + "'");
84 }
85 }
86 }
87 }
88
89 public static void ensureContentTypeHeader(final MimeResponse response, final String contentType) {
90 final String responseContentType = response.getContentType();
91 if (!StringUtils.equalsIgnoreCaseAndWhitespace(responseContentType, contentType)) {
92 response.setContentType(contentType);
93 if (LOG.isDebugEnabled()) {
94 LOG.debug("Response already contains Header Content-Type '" + responseContentType
95 + "'. Overwriting with '" + contentType + "'");
96 }
97 }
98 }
99
100 public static void ensureContentSecurityPolicyHeader(
101 final FacesContext facesContext, final ContentSecurityPolicy contentSecurityPolicy) {
102 final Object response = facesContext.getExternalContext().getResponse();
103 if (response instanceof HttpServletResponse) {
104 final HttpServletResponse servletResponse = (HttpServletResponse) response;
105 final TobagoContext tobagoContext = TobagoContext.getInstance(facesContext);
106 final UserAgent userAgent = tobagoContext.getUserAgent();
107 final String[] cspHeaders;
108 switch (contentSecurityPolicy.getMode()) {
109 case OFF:
110 cspHeaders = new String[0];
111 break;
112 case ON:
113 cspHeaders = userAgent.getCspHeaders();
114 break;
115 case REPORT_ONLY:
116 cspHeaders = userAgent.getCspReportOnlyHeaders();
117 break;
118 default:
119 throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
120 }
121 final StringBuilder builder = new StringBuilder();
122 final String nonce = Nonce.getNonce(facesContext);
123 for (final Map.Entry<String, String> directive : contentSecurityPolicy.getDirectiveMap().entrySet()) {
124 builder.append(directive.getKey());
125 builder.append(" ");
126 builder.append(directive.getValue().replace("${nonce}", nonce));
127 builder.append(";");
128 }
129 for (final String cspHeader : cspHeaders) {
130 servletResponse.setHeader(cspHeader, builder.toString());
131 }
132 } else if (PortletUtils.isPortletApiAvailable() && response instanceof MimeResponse) {
133
134 if (contentSecurityPolicy.getMode() != ContentSecurityPolicy.Mode.OFF) {
135 LOG.warn("CSP not implemented for Portlet!");
136 }
137 }
138 }
139
140 public static void ensureNosniffHeader(final FacesContext facesContext) {
141 final Object response = facesContext.getExternalContext().getResponse();
142 if (response instanceof HttpServletResponse) {
143 final HttpServletResponse servletResponse = (HttpServletResponse) response;
144 ensureNosniffHeader(servletResponse);
145 }
146 }
147
148 public static void ensureNosniffHeader(final HttpServletResponse servletResponse) {
149 servletResponse.setHeader("X-Content-Type-Options", "nosniff");
150 }
151
152 public static void ensureXFrameOptionsHeader(final FacesContext facesContext) {
153 final Object response = facesContext.getExternalContext().getResponse();
154 if (response instanceof HttpServletResponse) {
155 ((HttpServletResponse) response).setHeader("X-Frame-Options", "DENY");
156 }
157 }
158 }