Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/*
* This program and the accompanying materials are made available under the terms of the
* Eclipse Public License v2.0 which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-v20.html
*
* SPDX-License-Identifier: EPL-2.0
*
* Copyright Contributors to the Zowe Project.
*/

package org.zowe.apiml.gateway.filters;

import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

@Component
public class SecurityHeadersGlobalFilter implements GlobalFilter, Ordered {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered changing this line in WebSecurity.java (181)
.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
to
.frameOptions(frame -> frame.policy("DENY"))


@Override
public int getOrder() {
return -1; // High priority execution
}

@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
return chain.filter(exchange).then(Mono.fromRunnable(() -> {
exchange.getResponse().getHeaders().set("X-Frame-Options", "DENY");
exchange.getResponse().getHeaders().set("X-Content-Type-Options", "nosniff");
}));
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/*
* This program and the accompanying materials are made available under the terms of the
* Eclipse Public License v2.0 which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-v20.html
*
* SPDX-License-Identifier: EPL-2.0
*
* Copyright Contributors to the Zowe Project.
*/

package org.zowe.apiml.gateway.filters;

import org.junit.jupiter.api.Test;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

class SecurityHeadersGlobalFilterTest {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For filters it is better to have an acceptance test as filters may interact and the result may not be always as expected.


private final SecurityHeadersGlobalFilter filter = new SecurityHeadersGlobalFilter();

@Test
void shouldAddSecurityHeadersToResponse() {
// 1. Create a mock request and exchange instance
MockServerHttpRequest request = MockServerHttpRequest.get("/apicatalog/ui/v1/index.html").build();
MockServerWebExchange exchange = MockServerWebExchange.from(request);

// 2. Mock the GatewayFilterChain to simulate a successful downstream filter execution
GatewayFilterChain filterChain = mock(GatewayFilterChain.class);
when(filterChain.filter(any(ServerWebExchange.class))).thenReturn(Mono.empty());

// 3. Execute the filter and use StepVerifier to handle the reactive lifecycle
Mono<Void> result = filter.filter(exchange, filterChain);

StepVerifier.create(result)
.verifyComplete(); // Ensures the Mono chain finishes cleanly

// 4. Assert that the headers were successfully injected into the response
HttpHeaders responseHeaders = exchange.getResponse().getHeaders();

assertEquals("DENY", responseHeaders.getFirst("X-Frame-Options"));
assertEquals("nosniff", responseHeaders.getFirst("X-Content-Type-Options"));
}
}
Loading