PageSecurityHeaderFilter.java

/*
 * Copyright (c) 2002-2025, City of Paris
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *  1. Redistributions of source code must retain the above copyright notice
 *     and the following disclaimer.
 *
 *  2. Redistributions in binary form must reproduce the above copyright notice
 *     and the following disclaimer in the documentation and/or other materials
 *     provided with the distribution.
 *
 *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
 *     contributors may be used to endorse or promote products derived from
 *     this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * License 1.0
 */
package fr.paris.lutece.portal.service.filter;

import java.io.IOException;
import java.util.Collection;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import fr.paris.lutece.portal.business.securityheader.SecurityHeader;
import fr.paris.lutece.portal.business.securityheader.SecurityHeaderPageCategory;
import fr.paris.lutece.portal.business.securityheader.SecurityHeaderType;
import fr.paris.lutece.portal.service.security.SecurityService;
import fr.paris.lutece.portal.service.securityheader.SecurityHeaderService;
import fr.paris.lutece.portal.service.spring.SpringContextService;
import fr.paris.lutece.portal.service.util.AppPathService;
import fr.paris.lutece.portal.service.util.AppPropertiesService;

/**
 * Page security header filter
 * This filter is used to add security headers to the response when the requested resource is a jsp page except
 * for BO admin authenticated pages. For those pages, security headers adding is managed by AuthenticationFilter class.
 * When the request resource is a API REST endpoint, security headers adding is done in RestApiSecurityHeaderFilter class
 * 
 */
public class PageSecurityHeaderFilter implements javax.servlet.Filter
{

	private Logger _logger = LogManager.getLogger( "lutece.securityHeader" );
	private static final String PROPERTY_JSP_URL_PORTAL_LOGOUT = "mylutece.url.doLogout";
	
    /**
     * Initializes the filter
     * 
     * @param filterConfig
     *            The filter config
     * @throws ServletException
     *             If an error occured
     */
    public void init( FilterConfig filterConfig ) throws ServletException
    {

    }
    
    /**
     * Apply the filter
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     * @param filterChain
     *            The Filter Chain
     * @throws IOException
     *             If an error occured
     * @throws ServletException
     *             If an error occured
     */
    public void doFilter( ServletRequest request, ServletResponse response, FilterChain filterChain ) throws IOException, ServletException
    {
    	HttpServletRequest req = ( HttpServletRequest ) request;
    	HttpServletResponse resp = ( HttpServletResponse )response;
        
    	addAllPagesHeaders( req, resp );
    	addFoAuthenticatedPagesHeaders( req, resp );
    	addFoLogoutPageHeaders( req, resp );
    	
        filterChain.doFilter( req, resp );
    }
    
    /**
     * Adds active security headers that must be added to all pages to the response
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     */
    private void addAllPagesHeaders( HttpServletRequest request, HttpServletResponse response )
    {
    	addActiveHeaders( request, response, SecurityHeaderType.PAGE, SecurityHeaderPageCategory.ALL );
    }
     
    /**
     * Adds active security headers that must be added to FO authenticated pages to the response
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     */
    private void addFoAuthenticatedPagesHeaders( HttpServletRequest request, HttpServletResponse response )
    {
    	if( SecurityService.getInstance( ).getRegisteredUser( request ) != null )
    	{
    		addActiveHeaders( request, response, SecurityHeaderType.PAGE, SecurityHeaderPageCategory.AUTHENTICATED_ADMIN_FRONT_OFFICE );
    	}
    }
    
    /**
     * Adds active security headers that must be added to the logout page to the response 
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     */
    private void addFoLogoutPageHeaders( HttpServletRequest request, HttpServletResponse response )
    {
    	String logoutPage = getAbsoluteUrl( request, AppPropertiesService.getProperty( PROPERTY_JSP_URL_PORTAL_LOGOUT ) );
    	if( logoutPage != null )
    	{
    		if( getRequestedUrl( request ).equals( logoutPage ) )
    		{
    			addActiveHeaders( request, response, SecurityHeaderType.PAGE, SecurityHeaderPageCategory.LOGOUT_FO );
    		}
    	}
    }
    
    /**
     * 
     * Adds active security headers of the specified type and the specified category to the response
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     * @param typePage
     *            The type of page
     * @param pageCategory
     *            The category of page (if type is equals to page)
     */
    private void addActiveHeaders( HttpServletRequest request, HttpServletResponse response, SecurityHeaderType typePage, SecurityHeaderPageCategory pageCategory )
    {
    	Collection<SecurityHeader> securityHeadersToAddList = getSecurityHeaderService( ).findActive( typePage.getCode( ), pageCategory.getCode( ) );
    	if( securityHeadersToAddList != null )
    	{
    		for( SecurityHeader securityHeader : securityHeadersToAddList )
        	{
        		response.setHeader( securityHeader.getName( ), securityHeader.getValue( ) );
        		_logger.debug( "Security header added to page {} - name : {}, value : {} ", request.getServletPath( ), securityHeader.getName( ), securityHeader.getValue( ) );
        	}
    	}   	
    }
    
    /**
     * Destroy the filter
     */
    public void destroy( )
    {
        
    }
    
    /**
     * Returns the security header service.
     * 
     * @return the security header service
     */
    private SecurityHeaderService getSecurityHeaderService( )
    {
    	return SpringContextService.getBean( "securityHeaderService" );
    }
    
    /**
     * Return the absolute representation of the requested url
     * 
     * @param request
     *            the http request (provides the base path if needed)
     * @return the requested url has a string
     *
     */
    private String getRequestedUrl( HttpServletRequest request )
    {
        return AppPathService.getBaseUrl( request ) + request.getServletPath( ).substring( 1 );
    }
    
    /**
     * Returns the absolute url corresponding to the given one, if the later was found to be relative. An url starting with "http://" is absolute. A relative
     * url should be given relatively to the webapp root.
     * 
     * @param request
     *            the http request (provides the base path if needed)
     * @param strUrl
     *            the url to transform
     * @return the corresponding absolute url
     *
     */
    private String getAbsoluteUrl( HttpServletRequest request, String strUrl )
    {
        if ( ( strUrl != null ) && !strUrl.startsWith( "http://" ) && !strUrl.startsWith( "https://" ) )
        {
            return AppPathService.getBaseUrl( request ) + strUrl;
        }

        return strUrl;
    }
}