fix(security): set secure response headers in any condition of SdaSecurityConfiguration

Author: JoergSiebahn

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/SdaSecurityConfiguration.java

@@ -8,8 +8,10 @@
 package org.sdase.commons.spring.boot.web.auth;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Stream;
 import javax.servlet.http.HttpServletRequest;
+import org.sdase.commons.spring.boot.web.security.headers.SdaSecurityHeaders;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -26,6 +28,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.util.StringUtils;
 
 @EnableWebSecurity
@@ -41,6 +44,8 @@ public class SdaSecurityConfiguration {
 
   private final SdaAccessDecisionManager sdaAccessDecisionManager;
 
+  private final SdaSecurityHeaders sdaSecurityHeaders;
+
   /**
    * @param issuers Comma separated string of open id discovery key sources with required issuers.
    * @param disableAuthentication Disables all authentication
@@ -50,10 +55,12 @@ public class SdaSecurityConfiguration {
   public SdaSecurityConfiguration(
       @Value("${auth.issuers:}") String issuers,
       @Value("${auth.disable:false}") boolean disableAuthentication,
-      SdaAccessDecisionManager sdaAccessDecisionManager) {
+      SdaAccessDecisionManager sdaAccessDecisionManager,
+      Optional<SdaSecurityHeaders> sdaSecurityHeaders) {
     this.issuers = issuers;
     this.disableAuthentication = disableAuthentication;
     this.sdaAccessDecisionManager = sdaAccessDecisionManager;
+    this.sdaSecurityHeaders = sdaSecurityHeaders.orElse(List::of);
   }
 
   @Bean
@@ -82,7 +89,11 @@ private void oidcAuthentication(HttpSecurity http) throws Exception {
             authorize ->
                 authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
         .oauth2ResourceServer(
-            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
+            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private AuthenticationManagerResolver<HttpServletRequest> createAuthenticationManagerResolver() {
@@ -111,7 +122,11 @@ private void noAuthentication(HttpSecurity http) throws Exception {
         .disable() // NOSONAR
         .authorizeRequests(
             authorize ->
-                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager));
+                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private List<String> commaSeparatedStringToList(String issuers) {

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/EnableFrontendSecurity.java

@@ -13,6 +13,24 @@
 import java.lang.annotation.Target;
 import org.springframework.context.annotation.Import;
 
+/**
+ * Activates setting headers to the response that enhance the security of web applications. Usually
+ * we do not provide web content from services. But we address the risks identified in the security
+ * guide as:
+ *
+ * <ul>
+ *   <li>"Risk: Cross Site Scripting (XSS)"
+ *   <li>"Risk: Reloading content into Flash and PDFs"
+ *   <li>"Risk: Clickjacking"
+ *   <li>"Risk: Passing on visited URLs to third parties"
+ *   <li>"Risk: Interpretation of content by the browser"
+ * </ul>
+ *
+ * <p>This feature should only be enabled in services that provide frontend resources like HTML
+ * pages themselves. Services that provide REST APIs only shall not activate this feature. If not
+ * enabled, headers are set {@linkplain RestfulApiSecurityConfiguration according risks for backend
+ * service}.
+ */
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
 @Import({FrontendSecurityConfiguration.class})

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/FrontendSecurityConfiguration.java

@@ -8,8 +8,6 @@
 package org.sdase.commons.spring.boot.web.security.headers;
 
 import org.springframework.context.annotation.Bean;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * This filter adds headers to the response that enhance the security of web applications. Usually
@@ -23,15 +21,18 @@
  *   <li>"Risk: Passing on visited URLs to third parties"
  *   <li>"Risk: Interpretation of content by the browser"
  * </ul>
+ *
+ * <p>This feature should only be enabled in services that provide frontend resources like HTML
+ * pages themselves. Services that provide REST APIs only shall not activate this feature. If not
+ * enabled, headers are set {@linkplain RestfulApiSecurityConfiguration according risks for backend
+ * service}.
  */
 public class FrontendSecurityConfiguration {
 
   public static final String FRONTEND_SECURITY_ADVICE_BEAN_NAME = "frontendHeadersAdvice";
 
   @Bean(FRONTEND_SECURITY_ADVICE_BEAN_NAME)
-  public SecurityFilterChain frontendHeadersAdvice(HttpSecurity http) throws Exception {
-    // add specific headers for frontends
-    http.headers(HttpHeadersAdvice::addFrontendHttpHeadersCustomizer);
-    return http.build();
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.FRONTEND_SECURITY::headers;
   }
 }

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/HttpHeadersAdvice.java

@@ -10,13 +10,10 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
 
 /**
- * This filter adds headers to the response that enhance the security of web applications. Usually
- * we do not provide web content from services. But we address the risks identified in the security
- * guide as:
+ * This filter adds headers to the response that enhance the security of applications that serve
+ * only REST APIs. The following risks are addressed:
  *
  * <ul>
  *   <li>"Risk: Cross Site Scripting (XSS)"
@@ -28,12 +25,9 @@
  */
 @Configuration
 public class RestfulApiSecurityConfiguration {
-
   @Bean
   @ConditionalOnMissingBean(name = FrontendSecurityConfiguration.FRONTEND_SECURITY_ADVICE_BEAN_NAME)
-  public SecurityFilterChain restfulApiHeadersAdvice(HttpSecurity http) throws Exception {
-    // define specific headers for restful apis
-    http.headers(HttpHeadersAdvice::addRestfulHttpHeadersCustomizer);
-    return http.build();
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.RESTFUL_SECURITY::headers;
   }
 }

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/RestfulApiSecurityConfiguration.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import java.util.List;
+import org.springframework.security.web.header.Header;
+
+public interface SdaSecurityHeaders {
+
+  List<Header> getSecurityHeaders();
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/SdaSecurityHeaders.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import static java.util.Arrays.asList;
+import static org.sdase.commons.spring.boot.web.security.headers.SdaSecurityType.Common.WEB_SECURITY_HEADERS;
+
+import java.util.List;
+import java.util.stream.Stream;
+import org.springframework.security.web.header.Header;
+
+public enum SdaSecurityType {
+  RESTFUL_SECURITY(
+      Stream.concat(
+              WEB_SECURITY_HEADERS.stream(),
+              Stream.of(
+                  new Header(
+                      "Content-Security-Policy",
+                      String.join(
+                          "; ",
+                          asList("default-src 'none'", "frame-ancestors 'none'", "sandbox")))))
+          .toList()),
+
+  FRONTEND_SECURITY(
+      Stream.concat(
+              WEB_SECURITY_HEADERS.stream(),
+              Stream.of(
+                  new Header(
+                      "Content-Security-Policy",
+                      String.join(
+                          "; ",
+                          asList(
+                              "default-src 'self'",
+                              "script-src 'self'",
+                              "img-src 'self'",
+                              "style-src 'self'",
+                              "font-src 'self'",
+                              "frame-src 'none'",
+                              "object-src 'none'")))))
+          .toList());
+
+  private final List<Header> headers;
+
+  SdaSecurityType(List<Header> headers) {
+    this.headers = headers;
+  }
+
+  public List<Header> headers() {
+    return headers;
+  }
+
+  static class Common {
+    private Common() {
+      // just to hold WEB_SECURITY_HEADERS
+    }
+
+    static final List<Header> WEB_SECURITY_HEADERS =
+        List.of(
+            new Header("X-Frame-Options", "DENY"),
+            new Header("X-Content-Type-Options", "nosniff"),
+            new Header("X-XSS-Protection", "1; mode=block"),
+            new Header("Referrer-Policy", "same-origin"),
+            new Header("X-Permitted-Cross-Domain-Policies", "none"));
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/SdaSecurityType.java

@@ -35,18 +35,32 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.ContextConfiguration;
 
-/** This test class depends on the {@code @EnableFrontendSecurity} annotation being present. */
-@EnableFrontendSecurity
 @SpringBootTest(
     classes = SecurityTestApp.class,
     webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
 @ContextConfiguration(initializers = DisableSdaAuthInitializer.class)
-class FrontendSecurityHeadersTest {
+abstract class AbstractSecurityHeadersTest {
   @LocalServerPort private int port;
 
   @Autowired private TestRestTemplate client;
 
-  static Stream<Arguments> predefinedSecurityHeaders() {
+  static Stream<Arguments> predefinedRestfulApiSecurityHeaders() {
+    return Stream.of(
+        // cache headers
+        of("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate"),
+        of("Pragma", "no-cache"),
+        of("Expires", "0"),
+
+        // security headers
+        of("X-Frame-Options", "DENY"),
+        of("X-Content-Type-Options", "nosniff"),
+        of("X-XSS-Protection", "1; mode=block"),
+        of("Referrer-Policy", "same-origin"),
+        of("X-Permitted-Cross-Domain-Policies", "none"),
+        of("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; sandbox"));
+  }
+
+  static Stream<Arguments> predefinedFrontendSecurityHeaders() {
     return Stream.of(
         // cache headers
         of("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate"),
@@ -73,10 +87,11 @@ static Stream<Arguments> predefinedSecurityHeaders() {
                     "object-src 'none'"))));
   }
 
+  protected abstract Stream<Arguments> predefinedSecurityHeaders();
+
   @ParameterizedTest
-  @MethodSource("predefinedSecurityHeaders")
-  void shouldAddFrontendSecurityHeaders(
-      String predefinedHeaderName, String expectedPredefinedHeaderValue) {
+  @MethodSource("predefinedRestfulApiSecurityHeaders")
+  void shouldAddSecurityHeaders(String predefinedHeaderName, String expectedPredefinedHeaderValue) {
 
     ResponseEntity<TestResource> actual =
         client.getForEntity(getServerBaseUrl() + "/api/resource", TestResource.class);
@@ -92,8 +107,8 @@ void shouldAddFrontendSecurityHeaders(
   }
 
   @ParameterizedTest
-  @MethodSource("predefinedSecurityHeaders")
-  void shouldAllowOverwritingFrontendSecurityHeaders(String predefinedHeaderName) {
+  @MethodSource("predefinedRestfulApiSecurityHeaders")
+  void shouldAllowOverwritingHeaders(String predefinedHeaderName) {
     // for unknown reason, X-Frame-Options can't be modified
     assumeThat(predefinedHeaderName).isNotEqualTo("X-Frame-Options");