RestApiSecurityHeaderFilter.java

/*
 * Copyright (c) 2002-2025, City of Paris
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *  1. Redistributions of source code must retain the above copyright notice
 *     and the following disclaimer.
 *
 *  2. Redistributions in binary form must reproduce the above copyright notice
 *     and the following disclaimer in the documentation and/or other materials
 *     provided with the distribution.
 *
 *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
 *     contributors may be used to endorse or promote products derived from
 *     this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * License 1.0
 */
package fr.paris.lutece.portal.service.filter;

import java.io.IOException;
import java.util.Collection;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import fr.paris.lutece.portal.business.securityheader.SecurityHeader;
import fr.paris.lutece.portal.business.securityheader.SecurityHeaderType;
import fr.paris.lutece.portal.service.securityheader.SecurityHeaderService;
import fr.paris.lutece.portal.service.spring.SpringContextService;

/**
 * Rest api security header filter
 * This filter is used to add security headers to the response when the requested resource is a API REST endpoint.
 * 
 */
public class RestApiSecurityHeaderFilter implements javax.servlet.Filter
{
	private static final String BEAN_SECURITY_HEADER_SERVICE = "securityHeaderService";
	private static final String LOGGER_LUTECE_SECURITY_HEADER = "lutece.securityHeader";
    private Logger _logger = LogManager.getLogger( LOGGER_LUTECE_SECURITY_HEADER );
	
    /**
     * Initializes the filter
     * 
     * @param filterConfig
     *            The filter config
     * @throws ServletException
     *             If an error occured
     */
    public void init( FilterConfig filterConfig ) throws ServletException
    {

    }

    /**
     * Apply the filter
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     * @param filterChain
     *            The Filter Chain
     * @throws IOException
     *             If an error occured
     * @throws ServletException
     *             If an error occured
     */
    public void doFilter( ServletRequest request, ServletResponse response, FilterChain filterChain ) throws IOException, ServletException
    {
    	HttpServletRequest req = ( HttpServletRequest ) request;
    	HttpServletResponse resp = ( HttpServletResponse )response;
        
    	addRestApiHeaders ( req, resp );
  	
        filterChain.doFilter( req, resp );
    }

    /**
     * Adds active security headers that must be added to REST API endpoints to the response
     * 
     * @param request
     *            The HTTP request
     * @param response
     *            The HTTP response
     */
    private void addRestApiHeaders( HttpServletRequest request, HttpServletResponse response )
    {
    	SecurityHeaderService securityHeaderService = SpringContextService.getBean( BEAN_SECURITY_HEADER_SERVICE );
    	Collection<SecurityHeader> securityHeadersToAddList = securityHeaderService.findActive( SecurityHeaderType.REST_API.getCode( ), null );
    	if( securityHeadersToAddList != null )
    	{
        	for( SecurityHeader securityHeader : securityHeadersToAddList )
        	{
        		response.setHeader( securityHeader.getName( ), securityHeader.getValue( ) );
        		_logger.debug( "Security header added to endpoint {} - name : {}, value : {} ", request.getServletPath(), securityHeader.getName( ), securityHeader.getValue( ) );
        	}
    	}
    }
    
    /**
     * Destroy the filter
     */
    public void destroy( )
    {
        
    }
}