Skip to content

Add security headers filter to OpenAPI UI #20260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 1, 2022
Merged

Add security headers filter to OpenAPI UI #20260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions dev/com.ibm.ws.microprofile.openapi.ui/bnd.bnd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ Web-ContextPath: /openapi/ui

IBM-Authorization-Roles: com.ibm.ws.management

Import-Package: \
com.ibm.ws.microprofile.openapi.servlet.filter

Include-Resource: \
WEB-INF=resources/WEB-INF, \
../com.ibm.ws.openapi.ui/swagger-ui/dist;filter:=!(*.html|*.map), \
Expand Down
10 changes: 9 additions & 1 deletion dev/com.ibm.ws.microprofile.openapi.ui/resources/WEB-INF/web.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017 IBM Corporation and others.
Copyright (c) 2017, 2022 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
Expand All @@ -18,5 +18,13 @@
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>headers-filter</filter-name>
<filter-class>com.ibm.ws.microprofile.openapi.servlet.filter.OpenAPIUIFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>headers-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

</web-app>
3 changes: 2 additions & 1 deletion dev/com.ibm.ws.microprofile.openapi/bnd.bnd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ Export-Package: \
com.ibm.ws.microprofile.openapi.impl.core.*,\
com.ibm.ws.microprofile.openapi.impl.jaxrs2.*,\
com.ibm.ws.microprofile.openapi.impl.parser.*,\
com.ibm.ws.microprofile.openapi.impl.validation
com.ibm.ws.microprofile.openapi.impl.validation, \
com.ibm.ws.microprofile.openapi.servlet.filter

Include-Resource: \
WEB-INF=resources/WEB-INF, \
Expand Down
50 changes: 50 additions & 0 deletions ...roprofile.openapi/src/com/ibm/ws/microprofile/openapi/servlet/filter/OpenAPIUIFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
/**
* @version 1.0
*/
package com.ibm.ws.microprofile.openapi.servlet.filter;

import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class OpenAPIUIFilter implements Filter {
/**
* Filters out specific requests and takes the appropriate action for each
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {

if (resp instanceof HttpServletResponse) {
HttpServletResponse httpServletResp = (HttpServletResponse) resp;
httpServletResp.setHeader("X-Frame-Options", "DENY");
httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req, resp);
} else {
chain.doFilter(req, resp);
}
}

@Override
public void destroy() {}

@Override
public void init(FilterConfig arg0) throws ServletException {}
}
18 changes: 18 additions & 0 deletions ...microprofile.openapi/src/com/ibm/ws/microprofile/openapi/servlet/filter/package-info.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
/**
* @version 1.0
*/
@org.osgi.annotation.versioning.Version("1.0")
@TraceOptions(traceGroup = "MPOPENAPI", messageBundle = "io.openliberty.microprofile.openapi.internal.resources.OpenAPI")
package com.ibm.ws.microprofile.openapi.servlet.filter;

import com.ibm.websphere.ras.annotation.TraceOptions;
6 changes: 5 additions & 1 deletion dev/com.ibm.ws.openapi.ui.private/bnd.bnd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ Web-ContextPath: @privateOpenAPIExplorerURL

IBM-Authorization-Roles: com.ibm.ws.management

Private-Package: \
com.ibm.ws.openapi.filter.*

Include-Resource: \
WEB-INF=../com.ibm.ws.openapi.ui/resources/WEB-INF, \
WEB-INF=resources/WEB-INF, \
Expand All @@ -27,4 +30,5 @@ Include-Resource: \
index.html=../com.ibm.ws.openapi.ui/swagger-ui/dist/openapi.html

-buildpath: \
com.ibm.ws.openapi.ui
com.ibm.ws.openapi.ui, \
com.ibm.websphere.javaee.servlet.3.1;version=latest
12 changes: 11 additions & 1 deletion dev/com.ibm.ws.openapi.ui.private/resources/WEB-INF/web.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017 IBM Corporation and others.
Copyright (c) 2017, 2022 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
Expand All @@ -19,6 +19,16 @@
<welcome-file>index.html</welcome-file>
</welcome-file-list>


<filter>
<filter-name>headers-filter</filter-name>
<filter-class>com.ibm.ws.openapi.filter.OpenAPIFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>headers-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- SERVLET SECURITY CONFIGURATION -->
<!-- Everything in the PrivateOpenAPIUI should be protected. -->
<security-constraint id="SecurityConstraints_PrivateOpenAPIUI">
Expand Down
49 changes: 49 additions & 0 deletions dev/com.ibm.ws.openapi.ui.private/src/com/ibm/ws/openapi/filter/OpenAPIFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
/**
* @version 1.0
*/
package com.ibm.ws.openapi.filter;

import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class OpenAPIFilter implements Filter {
/**
* Filters out specific requests and takes the appropriate action for each
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
if (resp instanceof HttpServletResponse) {
HttpServletResponse httpServletResp = (HttpServletResponse) resp;
httpServletResp.setHeader("X-Frame-Options", "DENY");
httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req, resp);
} else {
chain.doFilter(req, resp);
}
}

@Override
public void destroy() {}

@Override
public void init(FilterConfig arg0) throws ServletException {}
}
6 changes: 6 additions & 0 deletions dev/com.ibm.ws.openapi.ui/bnd.bnd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,14 @@ Web-ContextPath: @publicOpenAPIExplorerURL

IBM-Authorization-Roles: com.ibm.ws.management

Private-Package: \
com.ibm.ws.openapi.filter.*

Include-Resource: \
WEB-INF=resources/WEB-INF, \
swagger-ui/dist;filter:=!(*.html|*.map), \
swagger-ui/dist/oauth2-redirect.html, \
index.html=swagger-ui/dist/openapi.html

-buildpath: \
com.ibm.websphere.javaee.servlet.3.1;version=latest
11 changes: 9 additions & 2 deletions dev/com.ibm.ws.openapi.ui/resources/WEB-INF/web.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2017 IBM Corporation and others.
Copyright (c) 2017, 2022 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
Expand All @@ -18,5 +18,12 @@
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>

<filter>
<filter-name>headers-filter</filter-name>
<filter-class>com.ibm.ws.openapi.filter.OpenAPIFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>headers-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
49 changes: 49 additions & 0 deletions dev/com.ibm.ws.openapi.ui/src/com/ibm/ws/openapi/filter/OpenAPIFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
/**
* @version 1.0
*/
package com.ibm.ws.openapi.filter;

import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class OpenAPIFilter implements Filter {
/**
* Filters out specific requests and takes the appropriate action for each
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
if (resp instanceof HttpServletResponse) {
HttpServletResponse httpServletResp = (HttpServletResponse) resp;
httpServletResp.setHeader("X-Frame-Options", "DENY");
httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req, resp);
} else {
chain.doFilter(req, resp);
}
}

@Override
public void destroy() {}

@Override
public void init(FilterConfig arg0) throws ServletException {}
}
3 changes: 3 additions & 0 deletions dev/io.openliberty.microprofile.openapi.2.0.internal/bnd.bnd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ Import-Package: \
javax.xml.bind.annotation;version=!,\
*

Export-Package: \
com.ibm.ws.microprofile.openapi.servlet.filter

Private-Package: \
io.openliberty.microprofile.openapi20.internal.*

Expand Down
50 changes: 50 additions & 0 deletions ...napi.2.0.internal/src/com/ibm/ws/microprofile/openapi/servlet/filter/OpenAPIUIFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
/**
* @version 1.0
*/
package com.ibm.ws.microprofile.openapi.servlet.filter;

import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class OpenAPIUIFilter implements Filter {
/**
* Filters out specific requests and takes the appropriate action for each
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {

if (resp instanceof HttpServletResponse) {
HttpServletResponse httpServletResp = (HttpServletResponse) resp;
httpServletResp.setHeader("X-Frame-Options", "DENY");
httpServletResp.setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(req, resp);
} else {
chain.doFilter(req, resp);
}
}

@Override
public void destroy() {}

@Override
public void init(FilterConfig arg0) throws ServletException {}
}
19 changes: 19 additions & 0 deletions ...openapi.2.0.internal/src/com/ibm/ws/microprofile/openapi/servlet/filter/package-info.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/*******************************************************************************
* Copyright (c) 2022 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
@Version(Constants.OSGI_VERSION)
@TraceOptions(traceGroup = Constants.TRACE_GROUP, messageBundle = Constants.TRACE_OPENAPI)
package com.ibm.ws.microprofile.openapi.servlet.filter;

import org.osgi.annotation.versioning.Version;

import com.ibm.websphere.ras.annotation.TraceOptions;

import io.openliberty.microprofile.openapi20.internal.utils.Constants;