update security filter to 2.0.4

e99c39fd · Misagh Moayyed · 6b8a6044 · e99c39fd · e99c39fd · e99c39fd
Commit e99c39fd authored Sep 30, 2015 by Misagh Moayyed
4 changed files
--- a/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties
@@ -230,6 +230,15 @@ tgc.signing.key=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dW
 # applying it as default response encoding as well.
 # httprequest.web.encoding.force=true

+##
+# Response Headers
+#
+# httpresponse.header.cache=false
+# httpresponse.header.hsts=false
+# httpresponse.header.xframe=false
+# httpresponse.header.xcontent=false
+# httpresponse.header.xss=false
+
 ##
 # Reports
 #
@@ -399,4 +408,4 @@ tgc.signing.key=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dW
 # cas.spnego.ntlm=false
 # cas.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
 # cas.spnego.mixed.mode.authn=false
-# cas.spnego.send.401.authn.failure=false
\ No newline at end of file
+# cas.spnego.send.401.authn.failure=false
--- a/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/filters.xml
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/filters.xml
@@ -30,6 +30,13 @@
            p:encoding="${httprequest.web.encoding:UTF-8}"
            p:forceEncoding="${httprequest.web.encoding.force:true}" />

+    <bean id="responseHeadersSecurityFilter" class="org.jasig.cas.security.ResponseHeadersEnforcementFilter"
+          p:enableCacheControl="${httpresponse.header.cache:false}"
+          p:enableStrictTransportSecurity="${httpresponse.header.hsts:false}"
+          p:enableXFrameOptions="${httpresponse.header.xframe:false}"
+          p:enableXContentTypeOptions="${httpresponse.header.xcontent:false}"
+          p:enableXSSProtection="${httpresponse.header.xss:false}" />
+
    <bean id="requestParameterSecurityFilter"
          class="org.jasig.cas.security.RequestParameterPolicyEnforcementFilter"
          p:allowMultiValueParameters="${cas.http.allow.multivalue.params:false}">

--- a/cas-server-webapp/src/main/webapp/WEB-INF/web.xml
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/web.xml
@@ -68,6 +68,15 @@
        <url-pattern>/*</url-pattern>
    </filter-mapping>

+    <filter>
+        <filter-name>responseHeadersSecurityFilter</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>responseHeadersSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

--- a/pom.xml
+++ b/pom.xml
@@ -1561,7 +1561,7 @@
        <xml.apis.version>1.4.01</xml.apis.version>
        <jstl.version>1.2</jstl.version>
        <openid4java.version>0.9.8</openid4java.version>
-        <cas-server-security-filter.version>2.0.3</cas-server-security-filter.version>
+        <cas-server-security-filter.version>2.0.4-SNAPSHOT</cas-server-security-filter.version>
        <google.guava.version>18.0</google.guava.version>
        <javax.el-api.version>3.0.0</javax.el-api.version>
        <javax.el-impl.version>2.2.6</javax.el-impl.version>