001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro.web.filter.authz; 020 021import javax.servlet.ServletRequest; 022import javax.servlet.ServletResponse; 023import javax.servlet.http.HttpServletResponse; 024 025/** 026 * Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured 027 * server {@link #setPort(int) port} <em>and</em> the 028 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If either condition is {@code false}, 029 * the filter chain will not continue. 030 * <p/> 031 * The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the 032 * request scheme is always 'https' (except for port 80, which retains the 'http' scheme). 033 * <p/> 034 * In addition the filter allows enabling HTTP Strict Transport Security (HSTS). 035 * This feature is opt-in and disabled by default. If enabled HSTS 036 * will prevent <b>any</b> communications from being sent over HTTP to the 037 * specified domain and will instead send all communications over HTTPS. 038 * </p> 039 * The {@link #getMaxAge() maxAge} property defaults {@code 31536000}, and 040 * {@link #isIncludeSubDomains includeSubDomains} is {@code false}. 041 * </p> 042 * <b>Warning:</b> Use this setting with care and only if you plan to enable 043 * SSL on every path. 044 * </p> 045 * Example configs: 046 * <pre> 047 * [urls] 048 * /secure/path/** = ssl 049 * </pre> 050 * with HSTS enabled 051 * <pre> 052 * [main] 053 * ssl.hsts.enabled = true 054 * [urls] 055 * /** = ssl 056 * </pre> 057 * @since 1.0 058 * @see <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security (HSTS)</a> 059 */ 060public class SslFilter extends PortFilter { 061 062 public static final int DEFAULT_HTTPS_PORT = 443; 063 public static final String HTTPS_SCHEME = "https"; 064 065 private HSTS hsts; 066 067 public SslFilter() { 068 setPort(DEFAULT_HTTPS_PORT); 069 this.hsts = new HSTS(); 070 } 071 072 public HSTS getHsts() { 073 return hsts; 074 } 075 076 public void setHsts(HSTS hsts) { 077 this.hsts = hsts; 078 } 079 080 @Override 081 protected String getScheme(String requestScheme, int port) { 082 if (port == DEFAULT_HTTP_PORT) { 083 return PortFilter.HTTP_SCHEME; 084 } else { 085 return HTTPS_SCHEME; 086 } 087 } 088 089 /** 090 * Retains the parent method's port-matching behavior but additionally guarantees that the 091 *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If the port does not match or 092 * the request is not secure, access is denied. 093 * 094 * @param request the incoming {@code ServletRequest} 095 * @param response the outgoing {@code ServletResponse} - ignored in this implementation 096 * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation. 097 * @return {@code true} if the request is received on an expected SSL port and the 098 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise. 099 * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception. 100 * @since 1.2 101 */ 102 @Override 103 protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { 104 return super.isAccessAllowed(request, response, mappedValue) && request.isSecure(); 105 } 106 107 /** 108 * If HTTP Strict Transport Security (HSTS) is enabled the HTTP header 109 * will be written, otherwise this method does nothing. 110 * @param request the incoming {@code ServletRequest} 111 * @param response the outgoing {@code ServletResponse} 112 */ 113 @Override 114 protected void postHandle(ServletRequest request, ServletResponse response) { 115 if (hsts.isEnabled()) { 116 StringBuilder directives = new StringBuilder(64) 117 .append("max-age=").append(hsts.getMaxAge()); 118 119 if (hsts.isIncludeSubDomains()) { 120 directives.append("; includeSubDomains"); 121 } 122 123 HttpServletResponse resp = (HttpServletResponse) response; 124 resp.addHeader(HSTS.HTTP_HEADER, directives.toString()); 125 } 126 } 127 128 /** 129 * Helper class for HTTP Strict Transport Security (HSTS) 130 */ 131 public class HSTS { 132 133 public static final String HTTP_HEADER = "Strict-Transport-Security"; 134 135 public static final boolean DEFAULT_ENABLED = false; 136 public static final int DEFAULT_MAX_AGE = 31536000; // approx. one year in seconds 137 public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false; 138 139 private boolean enabled; 140 private int maxAge; 141 private boolean includeSubDomains; 142 143 public HSTS() { 144 this.enabled = DEFAULT_ENABLED; 145 this.maxAge = DEFAULT_MAX_AGE; 146 this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS; 147 } 148 149 public boolean isEnabled() { 150 return enabled; 151 } 152 153 public void setEnabled(boolean enabled) { 154 this.enabled = enabled; 155 } 156 157 public int getMaxAge() { 158 return maxAge; 159 } 160 161 public void setMaxAge(int maxAge) { 162 this.maxAge = maxAge; 163 } 164 165 public boolean isIncludeSubDomains() { 166 return includeSubDomains; 167 } 168 169 public void setIncludeSubDomains(boolean includeSubDomains) { 170 this.includeSubDomains = includeSubDomains; 171 } 172 } 173}