Examples with BrowserSecurityHeaders - org.keycloak.models.BrowserSecurityHeaders

Example 1 with BrowserSecurityHeaders

use of org.keycloak.models.BrowserSecurityHeaders in project keycloak by keycloak.

the class DefaultSecurityHeadersProvider method addHtmlHeaders.

private void addHtmlHeaders(MultivaluedMap<String, Object> headers) {
    for (BrowserSecurityHeaders header : BrowserSecurityHeaders.values()) {
        addHeader(header, headers);
    }
    // TODO This will be refactored as part of introducing a more strict CSP header
    if (options != null) {
        ContentSecurityPolicyBuilder csp = ContentSecurityPolicyBuilder.create();
        if (options.isAllowAnyFrameAncestor()) {
            headers.remove(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName());
            csp.frameAncestors(null);
        }
        String allowedFrameSrc = options.getAllowedFrameSrc();
        if (allowedFrameSrc != null) {
            csp.frameSrc(allowedFrameSrc);
        }
        if (CONTENT_SECURITY_POLICY.getDefaultValue().equals(headers.getFirst(CONTENT_SECURITY_POLICY.getHeaderName()))) {
            headers.putSingle(CONTENT_SECURITY_POLICY.getHeaderName(), csp.build());
        }
    }
}

Also used : ContentSecurityPolicyBuilder(org.keycloak.models.ContentSecurityPolicyBuilder) BrowserSecurityHeaders(org.keycloak.models.BrowserSecurityHeaders)

Example 2 with BrowserSecurityHeaders

use of org.keycloak.models.BrowserSecurityHeaders in project keycloak by keycloak.

the class LoginTest method testBrowserSecurityHeaders.

@Test
public void testBrowserSecurityHeaders() {
    Client client = AdminClientUtil.createResteasyClient();
    Response response = client.target(oauth.getLoginFormUrl()).request().get();
    Assert.assertThat(response.getStatus(), is(equalTo(200)));
    for (BrowserSecurityHeaders header : BrowserSecurityHeaders.values()) {
        String headerValue = response.getHeaderString(header.getHeaderName());
        String expectedValue = header.getDefaultValue();
        if (expectedValue.isEmpty()) {
            Assert.assertNull(headerValue);
        } else {
            Assert.assertNotNull(headerValue);
            Assert.assertThat(headerValue, is(equalTo(expectedValue)));
        }
    }
    response.close();
    client.close();
}

Also used : Response(javax.ws.rs.core.Response) Matchers.containsString(org.hamcrest.Matchers.containsString) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) BrowserSecurityHeaders(org.keycloak.models.BrowserSecurityHeaders) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Aggregations

BrowserSecurityHeaders (org.keycloak.models.BrowserSecurityHeaders)2 Client (javax.ws.rs.client.Client)1 Response (javax.ws.rs.core.Response)1 Matchers.containsString (org.hamcrest.Matchers.containsString)1 Test (org.junit.Test)1 ContentSecurityPolicyBuilder (org.keycloak.models.ContentSecurityPolicyBuilder)1 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)1 OAuthClient (org.keycloak.testsuite.util.OAuthClient)1