filter.xml

markt Fri, 10 Mar 2017 05:59:37 -0800

Author: markt
Date: Fri Mar 10 13:59:18 2017
New Revision: 1786341

URL: http://svn.apache.org/viewvc?rev=1786341&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=54618
Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter.


Modified:
    tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/filter.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1786341&r1=1786340&r2=1786341&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
Fri Mar 10 13:59:18 2017
@@ -43,6 +43,7 @@ public class HttpHeaderSecurityFilter ex
     private boolean hstsEnabled = true;
     private int hstsMaxAgeSeconds = 0;
     private boolean hstsIncludeSubDomains = false;
+    private boolean hstsPreload = false;
     private String hstsHeaderValue;
 
     // Click-jacking protection
@@ -72,6 +73,9 @@ public class HttpHeaderSecurityFilter ex
         if (hstsIncludeSubDomains) {
             hstsValue.append(";includeSubDomains");
         }
+        if (hstsPreload) {
+            hstsValue.append(";preload");
+        }
         hstsHeaderValue = hstsValue.toString();
 
         // Anti click-jacking
@@ -169,19 +173,26 @@ public class HttpHeaderSecurityFilter ex
     }
 
 
+    public boolean isHstsPreload() {
+        return hstsPreload;
+    }
+
+
+    public void setHstsPreload(boolean hstsPreload) {
+        this.hstsPreload = hstsPreload;
+    }
+
 
     public boolean isAntiClickJackingEnabled() {
         return antiClickJackingEnabled;
     }
 
 
-
     public void setAntiClickJackingEnabled(boolean antiClickJackingEnabled) {
         this.antiClickJackingEnabled = antiClickJackingEnabled;
     }
 
 
-
     public String getAntiClickJackingOption() {
         return antiClickJackingOption.toString();
     }
@@ -199,7 +210,6 @@ public class HttpHeaderSecurityFilter ex
     }
 
 
-
     public String getAntiClickJackingUri() {
         return antiClickJackingUri.toString();
     }
@@ -226,14 +236,17 @@ public class HttpHeaderSecurityFilter ex
         this.antiClickJackingUri = uri;
     }
 
+
     public boolean isXssProtectionEnabled() {
         return xssProtectionEnabled;
     }
 
+
     public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
         this.xssProtectionEnabled = xssProtectionEnabled;
     }
 
+
     private static enum XFrameOption {
         DENY("DENY"),
         SAME_ORIGIN("SAMEORIGIN"),

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1786341&r1=1786340&r2=1786341&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar 10 13:59:18 2017
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M19 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <add>
+        <bug>54618</bug>: Add support to the
+        <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter.
+        (markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <fix>

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1786341&r1=1786340&r2=1786341&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Fri Mar 10 13:59:18 2017
@@ -899,6 +899,13 @@ FINE: Request "/docs/config/manager.html
         be used.</p>
       </attribute>
 
+      <attribute name="hstsPreload" required="false">
+        <p>Should the preload parameter be included in the HSTS header. If not
+        specified, the default value of <code>false</code> will be used. See
+        <a href="https://hstspreload.org/";>https://hstspreload.org</a> for
+        important information about this parameter.</p>
+      </attribute>
+
       <attribute name="antiClickJackingEnabled" required="false">
         <p>Should the anti click-jacking header (<code>X-Frame-Options</code>)
         be set on the response. Any anti click-jacking header already present



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1786341 - in /tomcat/trunk: java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java webapps/docs/changelog.xml webapps/docs/config/filter.xml

Reply via email to