WW-5400 Extend default configuration options for the CSP interceptor. #913
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, it was impossible to set global options for the CSP interceptor. The only options was to have every action individually implement CspSettingsAware. To fix this, we add an interceptor parameter of defaultCspSettingsClassName. Values from this class will be used in the CSP header instead of DefaultCspSettings. Users may define their own custom class which implements CspSettings, and that will be the default for all actions that do not implement the CspSettingsAware interface. It is now possible to create this custom class by simply extending DefaultCspSettings. I have fixed a spelling error in DefaultCspSettings.java -- cratePolicyFormat renamed to createPolicyFormat.
|
@lukaszlenart submitted per your request |
|
Hold off a bit, I need to check something (this is what I get for implementing my own separate solution) |
|
Ok all good. |
Comment on lines
+160
to
+162
| public void setDefaultCspSettingsClassName(String defaultCspSettingsClassName) { | ||
| this.defaultCspSettingsClassName = defaultCspSettingsClassName; | ||
| } |
There was a problem hiding this comment.
You can use Struts inject mechanism instead of using raw class and creating the instance by yourself. It's all about defining a <bean name="customCspSettings" class="..."/> and then annotating the setter with @Inject("customCspSettings").
I assume you never played with Struts @Inject, so let's leave it as is and I will change that in the next PR.
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java
Show resolved
Hide resolved
Comment on lines
+60
to
+77
| LOG.trace("Using {} with action: {}", defaultCspSettingsClassName, action); | ||
|
|
||
| // if the defaultCspSettingsClassName is not a real class, throw an exception | ||
| try { | ||
| Class.forName(defaultCspSettingsClassName, false, Thread.currentThread().getContextClassLoader()); | ||
| } | ||
| catch (ClassNotFoundException e) { | ||
| throw new IllegalArgumentException("The defaultCspSettingsClassName must be a real class."); | ||
| } | ||
|
|
||
| // if defaultCspSettingsClassName does not implement CspSettings, throw an exception | ||
| if (!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName))) { | ||
| throw new IllegalArgumentException("The defaultCspSettingsClassName must implement CspSettings."); | ||
| } | ||
|
|
||
| CspSettings cspSettings = (CspSettings) Class.forName(defaultCspSettingsClassName) | ||
| .getDeclaredConstructor().newInstance(); | ||
| applySettings(invocation, cspSettings); |
There was a problem hiding this comment.
I wonder if we can move this code into init() method of the interceptor as right now a new instance is created per each invocation
lukaszlenart
approved these changes
May 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, it was impossible to set global options for the CSP interceptor. The only option was to have every action individually implement CspSettingsAware.
To fix this, we add an interceptor parameter of defaultCspSettingsClassName. Values from this class will be used in the CSP header instead of DefaultCspSettings. Users may define their own custom class which implements CspSettings, and that will be the default for all actions that do not implement the CspSettingsAware interface. It is now possible to create this custom class by simply extending DefaultCspSettings.
I have fixed a spelling error in DefaultCspSettings.java -- cratePolicyFormat renamed to createPolicyFormat.
Closes WW-5400