Merge pull request #61 from cnapagoda/headers

include dynamic security headers
wso2-attic · Mar 29, 2017 · d7e272f · d7e272f
2 parents 068d71f + 8b88f4c
commit d7e272f
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 6 deletions.
diff --git a/archetypes/uuf-application/src/main/resources/archetype-resources/src/main/app.yaml b/archetypes/uuf-application/src/main/resources/archetype-resources/src/main/app.yaml
@@ -27,4 +27,7 @@ security:
   csrfIgnoreUris: []
   xssIgnoreUris: []
   responseHeaders:
-    "X-Frame-Options": "DENY"
+     staticResources:
+      "Content-Security-Policy": "default-src 'none'; script-src 'self' ssl.google-analytics.com;"
+     pages:
+      "X-Frame-Options": "DENY"
diff --git a/plugin/src/main/java/org/wso2/carbon/uuf/maven/bean/AppConfig.java b/plugin/src/main/java/org/wso2/carbon/uuf/maven/bean/AppConfig.java
@@ -358,7 +358,7 @@ public static class SecurityConfig {
 
         private List<String> csrfIgnoreUris = Collections.emptyList();
         private List<String> xssIgnoreUris = Collections.emptyList();
-        private Map<String, String> responseHeaders = Collections.emptyMap();
+        private ResponseHeaders responseHeaders = new ResponseHeaders();
 
         /**
          * Returns the list of URI's that doesn't require CSRF protection.
@@ -437,7 +437,7 @@ public void setXssIgnoreUris(List<String> xssIgnoreUris) {
          *
          * @return HTTP response headers
          */
-        public Map<String, String> getResponseHeaders() {
+        public ResponseHeaders getResponseHeaders() {
             return responseHeaders;
         }
 
@@ -446,9 +446,54 @@ public Map<String, String> getResponseHeaders() {
          *
          * @param responseHeaders HTTP response headers to be set
          */
-        public void setResponseHeaders(Map<String, String> responseHeaders) {
-            this.responseHeaders = (responseHeaders == null) ? Collections.emptyMap() : responseHeaders;
+        public void setResponseHeaders(ResponseHeaders responseHeaders) {
+            this.responseHeaders = responseHeaders;
         }
     }
 
+    /**
+     * Bean class that represents security headers configurations in the app's config file of an UUF App.
+     *
+     * @since 1.0.0
+     */
+    public static class ResponseHeaders {
+        private Map<String, String> staticResources = Collections.emptyMap();
+        private Map<String, String> pages = Collections.emptyMap();
+
+        /**
+         * Returns HTTP response headers for static contents.
+         *
+         * @return HTTP response headers
+         */
+        public Map<String, String> getStaticResources() {
+            return staticResources;
+        }
+
+        /**
+         * Sets the HTTP response headers for static contents.
+         *
+         * @param staticResources HTTP response headers to be set
+         */
+        public void setStaticResources(Map<String, String> staticResources) {
+            this.staticResources = staticResources;
+        }
+
+        /**
+         * Returns HTTP response headers for pages.
+         *
+         * @return HTTP response headers
+         */
+        public Map<String, String> getPages() {
+            return pages;
+        }
+
+        /**
+         * Sets the HTTP response headers for pages.
+         *
+         * @param pages HTTP response headers to be set
+         */
+        public void setPages(Map<String, String> pages) {
+            this.pages = pages;
+        }
+    }
 }
diff --git a/plugin/src/test/resources/app.yaml b/plugin/src/test/resources/app.yaml
@@ -25,4 +25,7 @@ security:
   csrfIgnoreUris: []
   xssIgnoreUris: []
   responseHeaders:
-    "Some Header": "some Value"
+    staticResources:
+      "Content-Security-Policy": "default-src 'none';"
+    pages:
+      "X-Frame-Options": "DENY"