in gateway-provider-security-webappsec/src/main/java/org/apache/knox/gateway/webappsec/deploy/WebAppSecContributor.java [80:182]
public void contributeFilter(DeploymentContext context,
Provider provider,
Service service,
ResourceDescriptor resource,
List<FilterParamDescriptor> params) {
Provider webappsec = context.getTopology().getProvider(ROLE, NAME);
if (webappsec != null && webappsec.isEnabled()) {
Map<String, String> map = provider.getParams();
if (params == null) {
params = new ArrayList<>();
}
Map<String, String> providerParams = provider.getParams();
// Rate limiting
String rateLimitingEnabled = map.get(RATE_LIMITING_ENABLED);
if (Boolean.parseBoolean(rateLimitingEnabled)) {
provisionConfig(resource, providerParams, params, RATE_LIMITING_PREFIX + ".", true, false);
resource.addFilter().name(getName() + RATE_LIMITING_SUFFIX)
.role(getRole())
.impl(RATE_LIMITING_FILTER_CLASSNAME)
.params(params);
}
// CORS support
params = new ArrayList<>();
String corsEnabled = map.get(CORS_ENABLED);
if (Boolean.parseBoolean(corsEnabled)) {
provisionConfig(resource, providerParams, params, "cors.");
resource.addFilter().name(getName() + CORS_SUFFIX)
.role(getRole())
.impl(CORS_FILTER_CLASSNAME)
.params(params);
}
// CRSF
params = new ArrayList<>();
String csrfEnabled = map.get(CSRF_ENABLED);
if (Boolean.parseBoolean(csrfEnabled)) {
provisionConfig(resource, providerParams, params, "csrf.");
resource.addFilter().name(getName() + CSRF_SUFFIX)
.role(getRole())
.impl(CSRF_FILTER_CLASSNAME)
.params(params);
}
// X-Frame-Options - clickjacking protection
params = new ArrayList<>();
String xframeOptionsEnabled = map.get(XFRAME_OPTIONS_ENABLED);
if (Boolean.parseBoolean(xframeOptionsEnabled)) {
provisionConfig(resource, providerParams, params, "xframe.");
resource.addFilter().name(getName() + XFRAME_OPTIONS_SUFFIX)
.role(getRole())
.impl(XFRAME_OPTIONS_FILTER_CLASSNAME)
.params(params);
}
// X-Content-Type-Options - MIME type sniffing protection
params = new ArrayList<>();
String xContentTypeOptionsEnabled = map.get(XCONTENT_TYPE_OPTIONS_ENABLED);
if (Boolean.parseBoolean(xContentTypeOptionsEnabled)) {
provisionConfig(resource, providerParams, params, "xcontent-type.");
resource.addFilter().name(getName() + XCONTENT_TYPE_OPTIONS_SUFFIX)
.role(getRole())
.impl(XCONTENT_TYPE_OPTIONS_FILTER_CLASSNAME)
.params(params);
}
// X-XSS-Protection - browser xss protection
params = new ArrayList<>();
String xssProtectionEnabled = map.get(XSS_PROTECTION_ENABLED);
if (Boolean.parseBoolean(xssProtectionEnabled)) {
provisionConfig(resource, providerParams, params, "xss.");
resource.addFilter().name(getName() + XSS_PROTECTION_SUFFIX)
.role(getRole())
.impl(XSS_PROTECTION_FILTER_CLASSNAME)
.params(params);
}
// HTTP Strict-Transport-Security
params = new ArrayList<>();
String strictTranportEnabled = map.get(STRICT_TRANSPORT_ENABLED);
if (Boolean.parseBoolean(strictTranportEnabled)) {
provisionConfig(resource, providerParams, params, "strict.");
resource.addFilter().name(getName() + STRICT_TRANSPORT_SUFFIX)
.role(getRole())
.impl(STRICT_TRANSPORT_FILTER_CLASSNAME)
.params(params);
}
// HTTP Security Headers
params = new ArrayList<>();
String securityHeaderEnabled = map.get(SECURITY_HEADER_ENABLED);
if (Boolean.parseBoolean(securityHeaderEnabled)) {
provisionConfig(resource, providerParams, params, SECURITY_HEADER_PREFIX, true, false);
resource.addFilter().name(getName() + SECURITY_HEADER_SUFFIX)
.role(getRole())
.impl(SECURITY_HEADER_FILTER_CLASSNAME)
.params(params);
}
}
}