1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19 package org.apache.shiro.web.filter.authz;
20
21 import javax.servlet.ServletRequest;
22 import javax.servlet.ServletResponse;
23 import javax.servlet.http.HttpServletResponse;
24
25 /**
26 * Filter which requires a request to be over SSL. Access is allowed if the request is received on the configured
27 * server {@link #setPort(int) port} <em>and</em> the
28 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If either condition is {@code false},
29 * the filter chain will not continue.
30 * <p/>
31 * The {@link #getPort() port} property defaults to {@code 443} and also additionally guarantees that the
32 * request scheme is always 'https' (except for port 80, which retains the 'http' scheme).
33 * <p/>
34 * In addition the filter allows enabling HTTP Strict Transport Security (HSTS).
35 * This feature is opt-in and disabled by default. If enabled HSTS
36 * will prevent <b>any</b> communications from being sent over HTTP to the
37 * specified domain and will instead send all communications over HTTPS.
38 * </p>
39 * The {@link #getMaxAge() maxAge} property defaults {@code 31536000}, and
40 * {@link #isIncludeSubDomains includeSubDomains} is {@code false}.
41 * </p>
42 * <b>Warning:</b> Use this setting with care and only if you plan to enable
43 * SSL on every path.
44 * </p>
45 * Example configs:
46 * <pre>
47 * [urls]
48 * /secure/path/** = ssl
49 * </pre>
50 * with HSTS enabled
51 * <pre>
52 * [main]
53 * ssl.hsts.enabled = true
54 * [urls]
55 * /** = ssl
56 * </pre>
57 * @since 1.0
58 * @see <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security (HSTS)</a>
59 */
60 public class SslFilter extends PortFilter {
61
62 public static final int DEFAULT_HTTPS_PORT = 443;
63 public static final String HTTPS_SCHEME = "https";
64
65 private HSTS hsts;
66
67 public SslFilter() {
68 setPort(DEFAULT_HTTPS_PORT);
69 this.hsts = new HSTS();
70 }
71
72 public HSTS getHsts() {
73 return hsts;
74 }
75
76 public void setHsts(HSTS hsts) {
77 this.hsts = hsts;
78 }
79
80 @Override
81 protected String getScheme(String requestScheme, int port) {
82 if (port == DEFAULT_HTTP_PORT) {
83 return PortFilter.HTTP_SCHEME;
84 } else {
85 return HTTPS_SCHEME;
86 }
87 }
88
89 /**
90 * Retains the parent method's port-matching behavior but additionally guarantees that the
91 *{@code ServletRequest.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}. If the port does not match or
92 * the request is not secure, access is denied.
93 *
94 * @param request the incoming {@code ServletRequest}
95 * @param response the outgoing {@code ServletResponse} - ignored in this implementation
96 * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings - ignored by this implementation.
97 * @return {@code true} if the request is received on an expected SSL port and the
98 * {@code request.}{@link javax.servlet.ServletRequest#isSecure() isSecure()}, {@code false} otherwise.
99 * @throws Exception if the call to {@code super.isAccessAllowed} throws an exception.
100 * @since 1.2
101 */
102 @Override
103 protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
104 return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
105 }
106
107 /**
108 * If HTTP Strict Transport Security (HSTS) is enabled the HTTP header
109 * will be written, otherwise this method does nothing.
110 * @param request the incoming {@code ServletRequest}
111 * @param response the outgoing {@code ServletResponse}
112 */
113 @Override
114 protected void postHandle(ServletRequest request, ServletResponse response) {
115 if (hsts.isEnabled()) {
116 StringBuilder directives = new StringBuilder(64)
117 .append("max-age=").append(hsts.getMaxAge());
118
119 if (hsts.isIncludeSubDomains()) {
120 directives.append("; includeSubDomains");
121 }
122
123 HttpServletResponse resp = (HttpServletResponse) response;
124 resp.addHeader(HSTS.HTTP_HEADER, directives.toString());
125 }
126 }
127
128 /**
129 * Helper class for HTTP Strict Transport Security (HSTS)
130 */
131 public class HSTS {
132
133 public static final String HTTP_HEADER = "Strict-Transport-Security";
134
135 public static final boolean DEFAULT_ENABLED = false;
136 public static final int DEFAULT_MAX_AGE = 31536000; // approx. one year in seconds
137 public static final boolean DEFAULT_INCLUDE_SUB_DOMAINS = false;
138
139 private boolean enabled;
140 private int maxAge;
141 private boolean includeSubDomains;
142
143 public HSTS() {
144 this.enabled = DEFAULT_ENABLED;
145 this.maxAge = DEFAULT_MAX_AGE;
146 this.includeSubDomains = DEFAULT_INCLUDE_SUB_DOMAINS;
147 }
148
149 public boolean isEnabled() {
150 return enabled;
151 }
152
153 public void setEnabled(boolean enabled) {
154 this.enabled = enabled;
155 }
156
157 public int getMaxAge() {
158 return maxAge;
159 }
160
161 public void setMaxAge(int maxAge) {
162 this.maxAge = maxAge;
163 }
164
165 public boolean isIncludeSubDomains() {
166 return includeSubDomains;
167 }
168
169 public void setIncludeSubDomains(boolean includeSubDomains) {
170 this.includeSubDomains = includeSubDomains;
171 }
172 }
173 }