org.apache.struts2.interceptor.csp

Class DefaultCspSettings

java.lang.Object

org.apache.struts2.interceptor.csp.DefaultCspSettings

All Implemented Interfaces:

CspSettings

public class DefaultCspSettings
extends Object
implements CspSettings

Default implementation of CspSettings. The default policy implements strict CSP with a nonce based approach and follows the guide: https://csp.withgoogle.com/docs/index.html/ You may extend or replace this class if you wish to customize the default policy further, and use your class by setting the CspInterceptor defaultCspSettingsClassName parameter. Actions that implement the CspSettingsAware interface will ignore the defaultCspSettingsClassName parameter.

See Also:

CspSettings, CspInterceptor

Field Summary

Fields

Modifier and Type	Field and Description
protected String	cspHeader
protected String	reportTo
protected String	reportUri

Fields inherited from interface org.apache.struts2.interceptor.csp.CspSettings

BASE_URI, CSP_ENFORCE_HEADER, CSP_REPORT_HEADER, CSP_REPORT_TYPE, HTTP, HTTPS, NONCE_RANDOM_LENGTH, NONE, OBJECT_SRC, REPORT_TO, REPORT_URI, SCRIPT_SRC, STRICT_DYNAMIC

Constructor Summary

Constructors

Constructor and Description
DefaultCspSettings()

Method Summary

Modifier and Type	Method and Description
void	addCspHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Adds CSP related headers to response based on request state (e.g., if session has been created)
protected String	createPolicyFormat(javax.servlet.http.HttpServletRequest request) Deprecated. since 6.8.0, for removal
protected String	createPolicyFormat(String nonceValue)
protected String	getNonceString(javax.servlet.http.HttpServletRequest request) Deprecated. since 6.8.0, for removal
void	setEnforcingMode(boolean enforcingMode) Sets CSP headers in enforcing mode when true, and report-only when false
void	setNonceSource(String nonceSource)
void	setReportTo(String reportTo) Sets the report group where csp violation reports will be sent
void	setReportUri(String reportUri) Sets the uri where csp violation reports will be sent
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

reportUri

protected String reportUri

reportTo

protected String reportTo

cspHeader

protected String cspHeader

Constructor Detail

DefaultCspSettings

public DefaultCspSettings()

Method Detail

setNonceSource

public void setNonceSource(String nonceSource)

addCspHeaders

public void addCspHeaders(javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response)

Description copied from interface: CspSettings

Adds CSP related headers to response based on request state (e.g., if session has been created)

Specified by:

addCspHeaders in interface CspSettings

createPolicyFormat

protected String createPolicyFormat(String nonceValue)

createPolicyFormat

@Deprecated
protected String createPolicyFormat(javax.servlet.http.HttpServletRequest request)

Deprecated. since 6.8.0, for removal

getNonceString

@Deprecated
protected String getNonceString(javax.servlet.http.HttpServletRequest request)

Deprecated. since 6.8.0, for removal

setEnforcingMode

public void setEnforcingMode(boolean enforcingMode)

Description copied from interface: CspSettings

Sets CSP headers in enforcing mode when true, and report-only when false

Specified by:

setEnforcingMode in interface CspSettings

setReportUri

public void setReportUri(String reportUri)

Description copied from interface: CspSettings

Sets the uri where csp violation reports will be sent

Specified by:

setReportUri in interface CspSettings

setReportTo

public void setReportTo(String reportTo)

Description copied from interface: CspSettings

Sets the report group where csp violation reports will be sent

Specified by:

setReportTo in interface CspSettings

toString

public String toString()

Overrides:

toString in class Object