Examples with StaticAllowFromStrategy - org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy

Example 1 with StaticAllowFromStrategy

use of org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy in project spring-security by spring-projects.

the class HeadersBeanDefinitionParser method parseFrameOptionsElement.

private void parseFrameOptionsElement(boolean addIfNotPresent, Element element, ParserContext parserContext) {
    BeanDefinitionBuilder builder = BeanDefinitionBuilder.genericBeanDefinition(XFrameOptionsHeaderWriter.class);
    Element frameElt = element == null ? null : DomUtils.getChildElementByTagName(element, FRAME_OPTIONS_ELEMENT);
    if (frameElt != null) {
        String header = getAttribute(frameElt, ATT_POLICY, null);
        boolean disabled = "true".equals(getAttribute(frameElt, ATT_DISABLED, "false"));
        if (disabled && header != null) {
            this.attrNotAllowed(parserContext, ATT_DISABLED, ATT_POLICY, frameElt);
        }
        if (!StringUtils.hasText(header)) {
            header = "DENY";
        }
        if (ALLOW_FROM.equals(header)) {
            String strategyRef = getAttribute(frameElt, ATT_REF, null);
            String strategy = getAttribute(frameElt, ATT_STRATEGY, null);
            if (StringUtils.hasText(strategy) && StringUtils.hasText(strategyRef)) {
                parserContext.getReaderContext().error("Only one of 'strategy' or 'strategy-ref' can be set.", frameElt);
            } else if (strategyRef != null) {
                builder.addConstructorArgReference(strategyRef);
            } else if (strategy != null) {
                String value = getAttribute(frameElt, ATT_VALUE, null);
                if (!StringUtils.hasText(value)) {
                    parserContext.getReaderContext().error("Strategy requires a 'value' to be set.", frameElt);
                }
                // static, whitelist, regexp
                if ("static".equals(strategy)) {
                    try {
                        builder.addConstructorArgValue(new StaticAllowFromStrategy(new URI(value)));
                    } catch (URISyntaxException e) {
                        parserContext.getReaderContext().error("'value' attribute doesn't represent a valid URI.", frameElt, e);
                    }
                } else {
                    BeanDefinitionBuilder allowFromStrategy;
                    if ("whitelist".equals(strategy)) {
                        allowFromStrategy = BeanDefinitionBuilder.rootBeanDefinition(WhiteListedAllowFromStrategy.class);
                        allowFromStrategy.addConstructorArgValue(StringUtils.commaDelimitedListToSet(value));
                    } else {
                        allowFromStrategy = BeanDefinitionBuilder.rootBeanDefinition(RegExpAllowFromStrategy.class);
                        allowFromStrategy.addConstructorArgValue(value);
                    }
                    String fromParameter = getAttribute(frameElt, ATT_FROM_PARAMETER, "from");
                    allowFromStrategy.addPropertyValue("allowFromParameterName", fromParameter);
                    builder.addConstructorArgValue(allowFromStrategy.getBeanDefinition());
                }
            } else {
                parserContext.getReaderContext().error("One of 'strategy' and 'strategy-ref' must be set.", frameElt);
            }
        } else {
            builder.addConstructorArgValue(header);
        }
        if (disabled) {
            return;
        }
    }
    if (addIfNotPresent || frameElt != null) {
        headerWriters.add(builder.getBeanDefinition());
    }
}

Also used : BeanDefinitionBuilder(org.springframework.beans.factory.support.BeanDefinitionBuilder) RegExpAllowFromStrategy(org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy) BeanMetadataElement(org.springframework.beans.BeanMetadataElement) Element(org.w3c.dom.Element) StaticAllowFromStrategy(org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI) WhiteListedAllowFromStrategy(org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy)

Example 2 with StaticAllowFromStrategy

use of org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy in project spring-security by spring-projects.

the class StaticAllowFromStrategyTests method shouldReturnUri.

@Test
public void shouldReturnUri() {
    String uri = "http://www.test.com";
    StaticAllowFromStrategy strategy = new StaticAllowFromStrategy(URI.create(uri));
    assertThat(strategy.getAllowFromValue(new MockHttpServletRequest())).isEqualTo(uri);
}

Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) StaticAllowFromStrategy(org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy) Test(org.junit.Test)

Aggregations

StaticAllowFromStrategy (org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy)2 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 Test (org.junit.Test)1 BeanMetadataElement (org.springframework.beans.BeanMetadataElement)1 BeanDefinitionBuilder (org.springframework.beans.factory.support.BeanDefinitionBuilder)1 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)1 RegExpAllowFromStrategy (org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy)1 WhiteListedAllowFromStrategy (org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy)1 Element (org.w3c.dom.Element)1