svn commit: r1722526 - /tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java

Fri, 01 Jan 2016 10:23:07 -0800 

Author: markt
Date: Fri Jan  1 18:22:24 2016
New Revision: 1722526

URL: http://svn.apache.org/viewvc?rev=1722526&view=rev
Log:
Refactor the processing / simplify the code
- Only check that the response is an HTTP response once and cast once
- Check if the response is committed after we know it is an HTTP response

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1722526&r1=1722525&r2=1722526&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
Fri Jan  1 18:22:24 2016
@@ -88,31 +88,33 @@ public class HttpHeaderSecurityFilter ex
     public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain chain) throws IOException, ServletException {
 
-        if (response.isCommitted()) {
-            throw new 
ServletException(sm.getString("httpHeaderSecurityFilter.committed"));
-        }
-
-        // HSTS
-        if (hstsEnabled && request.isSecure() && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) response).setHeader(HSTS_HEADER_NAME, 
hstsHeaderValue);
-        }
-
-        // anti click-jacking
-        if (antiClickJackingEnabled && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) response).setHeader(
-                    ANTI_CLICK_JACKING_HEADER_NAME, 
antiClickJackingHeaderValue);
-        }
-
-        // Block content type sniffing
-        if (blockContentTypeSniffingEnabled && response instanceof 
HttpServletResponse) {
-            ((HttpServletResponse) 
response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
-                    BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
-        }
+        if (response instanceof HttpServletResponse) {
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
 
-        // cross-site scripting filter protection
-        if (xssProtectionEnabled && response instanceof HttpServletResponse) {
-            ((HttpServletResponse) 
response).setHeader(XSS_PROTECTION_HEADER_NAME,
-                    XSS_PROTECTION_HEADER_VALUE);
+            if (response.isCommitted()) {
+                throw new 
ServletException(sm.getString("httpHeaderSecurityFilter.committed"));
+            }
+
+            // HSTS
+            if (hstsEnabled && request.isSecure()) {
+                httpResponse.setHeader(HSTS_HEADER_NAME, hstsHeaderValue);
+            }
+
+            // anti click-jacking
+            if (antiClickJackingEnabled) {
+                httpResponse.setHeader(ANTI_CLICK_JACKING_HEADER_NAME, 
antiClickJackingHeaderValue);
+            }
+
+            // Block content type sniffing
+            if (blockContentTypeSniffingEnabled) {
+                httpResponse.setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+                        BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
+            }
+
+            // cross-site scripting filter protection
+            if (xssProtectionEnabled) {
+                httpResponse.setHeader(XSS_PROTECTION_HEADER_NAME, 
XSS_PROTECTION_HEADER_VALUE);
+            }
         }
 
         chain.doFilter(request, response);



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to