feat(security): set secure response headers and ensure custom error responses

Author: JoergSiebahn

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/SdaSecurityConfiguration.java

@@ -8,8 +8,10 @@
 package org.sdase.commons.spring.boot.web.auth;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Stream;
 import javax.servlet.http.HttpServletRequest;
+import org.sdase.commons.spring.boot.web.security.headers.SdaSecurityHeaders;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -26,6 +28,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.util.StringUtils;
 
 @EnableWebSecurity
@@ -41,6 +44,8 @@ public class SdaSecurityConfiguration {
 
   private final SdaAccessDecisionManager sdaAccessDecisionManager;
 
+  private final SdaSecurityHeaders sdaSecurityHeaders;
+
   /**
    * @param issuers Comma separated string of open id discovery key sources with required issuers.
    * @param disableAuthentication Disables all authentication
@@ -50,10 +55,12 @@ public class SdaSecurityConfiguration {
   public SdaSecurityConfiguration(
       @Value("${auth.issuers:}") String issuers,
       @Value("${auth.disable:false}") boolean disableAuthentication,
-      SdaAccessDecisionManager sdaAccessDecisionManager) {
+      SdaAccessDecisionManager sdaAccessDecisionManager,
+      Optional<SdaSecurityHeaders> sdaSecurityHeaders) {
     this.issuers = issuers;
     this.disableAuthentication = disableAuthentication;
     this.sdaAccessDecisionManager = sdaAccessDecisionManager;
+    this.sdaSecurityHeaders = sdaSecurityHeaders.orElse(List::of);
   }
 
   @Bean
@@ -82,7 +89,11 @@ private void oidcAuthentication(HttpSecurity http) throws Exception {
             authorize ->
                 authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
         .oauth2ResourceServer(
-            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
+            oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private AuthenticationManagerResolver<HttpServletRequest> createAuthenticationManagerResolver() {
@@ -111,7 +122,11 @@ private void noAuthentication(HttpSecurity http) throws Exception {
         .disable() // NOSONAR
         .authorizeRequests(
             authorize ->
-                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager));
+                authorize.anyRequest().permitAll().accessDecisionManager(sdaAccessDecisionManager))
+        .headers(
+            configurer ->
+                configurer.addHeaderWriter(
+                    new StaticHeadersWriter(sdaSecurityHeaders.getSecurityHeaders())));
   }
 
   private List<String> commaSeparatedStringToList(String issuers) {

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/error/ApiExceptionHandler.java

@@ -8,6 +8,8 @@
 package org.sdase.commons.spring.boot.web.error;
 
 import javax.servlet.http.HttpServletRequest;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ControllerAdvice;
@@ -16,6 +18,7 @@
 import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
 
 @ControllerAdvice
+@Order(Ordered.HIGHEST_PRECEDENCE)
 public class ApiExceptionHandler extends ResponseEntityExceptionHandler {
 
   @ResponseBody

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/EnableSdaWebSecurity.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.context.annotation.Import;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@Import({SdaWebSecurityConfiguration.class})
+public @interface EnableSdaWebSecurity {}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/SdaWebSecurityConfiguration.java

@@ -7,6 +7,7 @@
  */
 package org.sdase.commons.spring.boot.web.security;
 
+import org.sdase.commons.spring.boot.web.security.headers.RestfulApiSecurityConfiguration;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
@@ -19,7 +20,7 @@
 @EnableWebSecurity
 @ComponentScan
 @AutoConfiguration
-@Import({SdaCorsConfigurer.class})
+@Import({RestfulApiSecurityConfiguration.class, SdaCorsConfigurer.class})
 public class SdaWebSecurityConfiguration {
   @Bean
   public FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/handler/ObscuringErrorHandler.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.handler;
+
+import org.sdase.commons.spring.boot.web.error.ApiError;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.http.server.ServletServerHttpResponse;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
+
+/**
+ * Error handle that replaces default errors responses with custom {@link ApiError}.
+ *
+ * <p>This handler is invoked for explicitly defined error responses like {@code return
+ * ResponseEntity.status(404).build();} and is not invoked for response indirectly create by {@code
+ * throw new NotFoundException()}.
+ *
+ * <p>This handler addresses risks identified in the security guide as:
+ *
+ * <ul>
+ *   <li>"Risk: Detection of confidential components ... Removal of application related Error
+ *       messages."
+ * </ul>
+ */
+@RestControllerAdvice
+public class ObscuringErrorHandler implements ResponseBodyAdvice<Object> {
+  private static final String RESPONSE_ENTITY_TYPE = ResponseEntity.class.getName();
+  private static final String ACTUATOR_PACKAGE_NAME =
+      "org.springframework.boot.actuate.endpoint.web.servlet";
+  private static final String API_ERROR_RESPONSE_ENTITY_TYPE =
+      String.format("%s<%s>", ResponseEntity.class.getTypeName(), ApiError.class.getTypeName());
+
+  @Override
+  public boolean supports(
+      MethodParameter returnType, Class<? extends HttpMessageConverter<?>> converterType) {
+    return shouldTransformResponse(returnType);
+  }
+
+  @Override
+  public Object beforeBodyWrite(
+      Object body,
+      MethodParameter returnType,
+      MediaType selectedContentType,
+      Class<? extends HttpMessageConverter<?>> selectedConverterType,
+      ServerHttpRequest request,
+      ServerHttpResponse response) {
+    var responseStatus =
+        HttpStatus.resolve(((ServletServerHttpResponse) response).getServletResponse().getStatus());
+
+    // No replacement for `ResponseEntity.status(204).build()`
+    if (responseStatus == null || !responseStatus.isError()) {
+      return body;
+    }
+
+    // Replacement error responses with standard errors, e.g
+    // `ResponseEntity.internalServerError().body(customErrorBody)
+    var apiError = new ApiError();
+    apiError.setTitle("HTTP Error " + responseStatus.value() + " occurred.");
+    return apiError;
+  }
+
+  private boolean shouldTransformResponse(MethodParameter returnType) {
+    // No replacement for `ResponseEntity<ApiError>`
+    if (API_ERROR_RESPONSE_ENTITY_TYPE.equals(returnType.getGenericParameterType().getTypeName())) {
+      return false;
+    }
+
+    // No replacement for `ResponseEntity<MyDto>`
+    if (!RESPONSE_ENTITY_TYPE.equals(returnType.getParameterType().getTypeName())) {
+      return false;
+    }
+
+    // No replacement for `ResponseEntity<Object>` returned by spring actuator
+    return !ACTUATOR_PACKAGE_NAME.equals(
+        returnType.getExecutable().getDeclaringClass().getPackageName());
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/handler/RunTimeExceptionHandler.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.handler;
+
+import org.sdase.commons.spring.boot.web.error.ApiError;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+/**
+ * This handler addresses risks identified in the security guide as:
+ *
+ * <ul>
+ *   <li>"Risk: Detection of confidential components ... Removal of application related Error
+ *       messages."
+ * </ul>
+ */
+@ControllerAdvice
+public class RunTimeExceptionHandler extends ResponseEntityExceptionHandler {
+  private static final String ERROR_MESSAGE = "An exception occurred.";
+  private static final Logger LOG = LoggerFactory.getLogger(RunTimeExceptionHandler.class);
+
+  @ExceptionHandler(value = {RuntimeException.class})
+  protected ResponseEntity<ApiError> handleRuntimeException(
+      RuntimeException ex, WebRequest request) {
+    LOG.error(ERROR_MESSAGE, ex);
+    var headers = new HttpHeaders();
+    return new ResponseEntity<>(
+        new ApiError(ERROR_MESSAGE), headers, HttpStatus.INTERNAL_SERVER_ERROR);
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/EnableFrontendSecurity.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.context.annotation.Import;
+
+/**
+ * Activates setting headers to the response that enhance the security of web applications. Usually
+ * we do not provide web content from services. But we address the risks identified in the security
+ * guide as:
+ *
+ * <ul>
+ *   <li>"Risk: Cross Site Scripting (XSS)"
+ *   <li>"Risk: Reloading content into Flash and PDFs"
+ *   <li>"Risk: Clickjacking"
+ *   <li>"Risk: Passing on visited URLs to third parties"
+ *   <li>"Risk: Interpretation of content by the browser"
+ * </ul>
+ *
+ * <p>This feature should only be enabled in services that provide frontend resources like HTML
+ * pages themselves. Services that provide REST APIs only shall not activate this feature. If not
+ * enabled, headers are set {@linkplain RestfulApiSecurityConfiguration according risks for backend
+ * service}.
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@Import({FrontendSecurityConfiguration.class})
+public @interface EnableFrontendSecurity {}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/FrontendSecurityConfiguration.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import org.springframework.context.annotation.Bean;
+
+/**
+ * This filter adds headers to the response that enhance the security of web applications. Usually
+ * we do not provide web content from services. But we address the risks identified in the security
+ * guide as:
+ *
+ * <ul>
+ *   <li>"Risk: Cross Site Scripting (XSS)"
+ *   <li>"Risk: Reloading content into Flash and PDFs"
+ *   <li>"Risk: Clickjacking"
+ *   <li>"Risk: Passing on visited URLs to third parties"
+ *   <li>"Risk: Interpretation of content by the browser"
+ * </ul>
+ *
+ * <p>This feature should only be enabled in services that provide frontend resources like HTML
+ * pages themselves. Services that provide REST APIs only shall not activate this feature. If not
+ * enabled, headers are set {@linkplain RestfulApiSecurityConfiguration according risks for backend
+ * service}.
+ */
+public class FrontendSecurityConfiguration {
+
+  public static final String FRONTEND_SECURITY_ADVICE_BEAN_NAME = "frontendHeadersAdvice";
+
+  @Bean(FRONTEND_SECURITY_ADVICE_BEAN_NAME)
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.FRONTEND_SECURITY::headers;
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/RestfulApiSecurityConfiguration.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * This filter adds headers to the response that enhance the security of applications that serve
+ * only REST APIs. The following risks are addressed:
+ *
+ * <ul>
+ *   <li>"Risk: Cross Site Scripting (XSS)"
+ *   <li>"Risk: Reloading content into Flash and PDFs"
+ *   <li>"Risk: Clickjacking"
+ *   <li>"Risk: Passing on visited URLs to third parties"
+ *   <li>"Risk: Interpretation of content by the browser"
+ * </ul>
+ */
+@Configuration
+public class RestfulApiSecurityConfiguration {
+  @Bean
+  @ConditionalOnMissingBean(name = FrontendSecurityConfiguration.FRONTEND_SECURITY_ADVICE_BEAN_NAME)
+  public SdaSecurityHeaders sdaSecurityHeaders() {
+    return SdaSecurityType.RESTFUL_SECURITY::headers;
+  }
+}

sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/security/headers/SdaSecurityHeaders.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2022- SDA SE Open Industry Solutions (https://www.sda.se)
+ *
+ * Use of this source code is governed by an MIT-style
+ * license that can be found in the LICENSE file or at
+ * https://opensource.org/licenses/MIT.
+ */
+package org.sdase.commons.spring.boot.web.security.headers;
+
+import java.util.List;
+import org.springframework.security.web.header.Header;
+
+public interface SdaSecurityHeaders {
+
+  List<Header> getSecurityHeaders();
+}