Merge pull request #20260 from arturdzm/openapi-ui-sec-headers

Add security headers filter to OpenAPI UI

Author: arturdzm

dev/com.ibm.ws.microprofile.openapi.ui/bnd.bnd

@@ -9,6 +9,9 @@ Web-ContextPath: /openapi/ui
 
 IBM-Authorization-Roles: com.ibm.ws.management
 
+Import-Package: \
+  com.ibm.ws.microprofile.openapi.servlet.filter
+
 Include-Resource: \
   WEB-INF=resources/WEB-INF, \
   ../com.ibm.ws.openapi.ui/swagger-ui/dist;filter:=!(*.html|*.map), \

dev/com.ibm.ws.microprofile.openapi.ui/resources/WEB-INF/web.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  Copyright (c) 2017 IBM Corporation and others.
+  Copyright (c) 2017, 2022 IBM Corporation and others.
   All rights reserved. This program and the accompanying materials
   are made available under the terms of the Eclipse Public License v1.0
   which accompanies this distribution, and is available at
@@ -18,5 +18,13 @@
   <welcome-file-list>
     <welcome-file>index.html</welcome-file>
   </welcome-file-list>
+  <filter>
+    <filter-name>headers-filter</filter-name>
+    <filter-class>com.ibm.ws.microprofile.openapi.servlet.filter.OpenAPIUIFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>headers-filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
 
 </web-app>

dev/com.ibm.ws.microprofile.openapi/bnd.bnd

@@ -39,7 +39,8 @@ Export-Package: \
 	com.ibm.ws.microprofile.openapi.impl.core.*,\
 	com.ibm.ws.microprofile.openapi.impl.jaxrs2.*,\
 	com.ibm.ws.microprofile.openapi.impl.parser.*,\
-	com.ibm.ws.microprofile.openapi.impl.validation
+	com.ibm.ws.microprofile.openapi.impl.validation, \
+	com.ibm.ws.microprofile.openapi.servlet.filter
 
 Include-Resource: \
     WEB-INF=resources/WEB-INF, \

dev/com.ibm.ws.microprofile.openapi/src/com/ibm/ws/microprofile/openapi/servlet/filter/OpenAPIUIFilter.java

@@ -0,0 +1,50 @@
+/*******************************************************************************
+ * Copyright (c) 2022 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *     IBM Corporation - initial API and implementation
+ *******************************************************************************/
+/**
+ * @version 1.0
+ */
+package com.ibm.ws.microprofile.openapi.servlet.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;  
+
+public class OpenAPIUIFilter implements Filter {
+        /**
+     * Filters out specific requests and takes the appropriate action for each
+     * 
+     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
+     */
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
+       
+        if (resp instanceof HttpServletResponse) {
+            HttpServletResponse httpServletResp = (HttpServletResponse) resp;
+            httpServletResp.setHeader("X-Frame-Options", "DENY");
+            httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
+            chain.doFilter(req, resp);
+        } else {
+            chain.doFilter(req, resp);
+        }
+    }
+
+    @Override
+    public void destroy() {}
+
+    @Override
+    public void init(FilterConfig arg0) throws ServletException {}  
+}

dev/com.ibm.ws.microprofile.openapi/src/com/ibm/ws/microprofile/openapi/servlet/filter/package-info.java

@@ -0,0 +1,18 @@
+/*******************************************************************************
+ * Copyright (c) 2022 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *     IBM Corporation - initial API and implementation
+ *******************************************************************************/
+/**
+ * @version 1.0
+ */
+@org.osgi.annotation.versioning.Version("1.0")
+@TraceOptions(traceGroup = "MPOPENAPI", messageBundle = "io.openliberty.microprofile.openapi.internal.resources.OpenAPI")
+package com.ibm.ws.microprofile.openapi.servlet.filter;
+
+import com.ibm.websphere.ras.annotation.TraceOptions;

dev/com.ibm.ws.openapi.ui.private/bnd.bnd

@@ -19,6 +19,9 @@ Web-ContextPath: @privateOpenAPIExplorerURL
 
 IBM-Authorization-Roles: com.ibm.ws.management
 
+Private-Package: \
+  com.ibm.ws.openapi.filter.*
+
 Include-Resource: \
   WEB-INF=../com.ibm.ws.openapi.ui/resources/WEB-INF, \
   WEB-INF=resources/WEB-INF, \
@@ -27,4 +30,5 @@ Include-Resource: \
   index.html=../com.ibm.ws.openapi.ui/swagger-ui/dist/openapi.html
 
 -buildpath: \
-  com.ibm.ws.openapi.ui
+  com.ibm.ws.openapi.ui, \
+  com.ibm.websphere.javaee.servlet.3.1;version=latest

dev/com.ibm.ws.openapi.ui.private/resources/WEB-INF/web.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright (c) 2017 IBM Corporation and others.
+    Copyright (c) 2017, 2022 IBM Corporation and others.
     All rights reserved. This program and the accompanying materials
     are made available under the terms of the Eclipse Public License v1.0
     which accompanies this distribution, and is available at
@@ -19,6 +19,16 @@
     <welcome-file>index.html</welcome-file>
   </welcome-file-list>
 
+
+  <filter>
+    <filter-name>headers-filter</filter-name>
+    <filter-class>com.ibm.ws.openapi.filter.OpenAPIFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>headers-filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
   <!-- SERVLET SECURITY CONFIGURATION -->
   <!-- Everything in the PrivateOpenAPIUI should be protected. -->
   <security-constraint id="SecurityConstraints_PrivateOpenAPIUI">

dev/com.ibm.ws.openapi.ui.private/src/com/ibm/ws/openapi/filter/OpenAPIFilter.java

@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * Copyright (c) 2022 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *     IBM Corporation - initial API and implementation
+ *******************************************************************************/
+/**
+ * @version 1.0
+ */
+package com.ibm.ws.openapi.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;  
+
+public class OpenAPIFilter implements Filter {
+     /**
+     * Filters out specific requests and takes the appropriate action for each
+     * 
+     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
+     */
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
+        if (resp instanceof HttpServletResponse) {
+            HttpServletResponse httpServletResp = (HttpServletResponse) resp;
+            httpServletResp.setHeader("X-Frame-Options", "DENY");
+            httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
+            chain.doFilter(req, resp);
+        } else {
+            chain.doFilter(req, resp);
+        }
+    }
+
+    @Override
+    public void destroy() {}
+
+    @Override
+    public void init(FilterConfig arg0) throws ServletException {}  
+}

dev/com.ibm.ws.openapi.ui/bnd.bnd

@@ -19,8 +19,14 @@ Web-ContextPath: @publicOpenAPIExplorerURL
 
 IBM-Authorization-Roles: com.ibm.ws.management
 
+Private-Package: \
+  com.ibm.ws.openapi.filter.*
+
 Include-Resource: \
   WEB-INF=resources/WEB-INF, \
   swagger-ui/dist;filter:=!(*.html|*.map), \
   swagger-ui/dist/oauth2-redirect.html, \
   index.html=swagger-ui/dist/openapi.html
+
+-buildpath: \
+  com.ibm.websphere.javaee.servlet.3.1;version=latest 

dev/com.ibm.ws.openapi.ui/resources/WEB-INF/web.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright (c) 2017 IBM Corporation and others.
+    Copyright (c) 2017, 2022 IBM Corporation and others.
     All rights reserved. This program and the accompanying materials
     are made available under the terms of the Eclipse Public License v1.0
     which accompanies this distribution, and is available at
@@ -18,5 +18,12 @@
   <welcome-file-list>
     <welcome-file>index.html</welcome-file>
   </welcome-file-list>
-  
+  <filter>
+    <filter-name>headers-filter</filter-name>
+    <filter-class>com.ibm.ws.openapi.filter.OpenAPIFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>headers-filter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>  
 </web-app>