From ae80cb4c27118383a7dfc0f786648880686ed579 Mon Sep 17 00:00:00 2001 From: PauloGladson Date: Thu, 29 Sep 2016 16:52:07 -0300 Subject: [PATCH] Segurança --- demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cache.java | 2 +- demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cors.java | 26 -------------------------- demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowMethods.java | 26 ++++++++++++++++++++++++++ demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowOrigin.java | 29 +++++++++++++++++++++++++++++ demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsMaxAge.java | 29 +++++++++++++++++++++++++++++ demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/filter/JaxRsFilter.java | 24 ++++++++++++++---------- demoiselle-security/src/main/java/org/demoiselle/jee/security/filter/JaxRsFilter.java | 3 +++ 7 files changed, 102 insertions(+), 37 deletions(-) delete mode 100644 demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cors.java create mode 100644 demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowMethods.java create mode 100644 demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowOrigin.java create mode 100644 demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsMaxAge.java diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cache.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cache.java index 453ff2b..6d9dccb 100644 --- a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cache.java +++ b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cache.java @@ -25,5 +25,5 @@ import javax.interceptor.InterceptorBinding; public @interface Cache { @Nonbinding - String value() default "max-age=9223372036854775807"; + String value() default "max-age=0"; } diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cors.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cors.java deleted file mode 100644 index 5b142e1..0000000 --- a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/Cors.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. - */ -package org.demoiselle.jee.ws.jaxrs.annotation; - -import static java.lang.annotation.ElementType.METHOD; -import static java.lang.annotation.ElementType.TYPE; -import java.lang.annotation.Inherited; -import java.lang.annotation.Retention; -import static java.lang.annotation.RetentionPolicy.RUNTIME; -import java.lang.annotation.Target; -import javax.enterprise.util.Nonbinding; -import javax.interceptor.InterceptorBinding; - -/** - * - * @author 70744416353 - */ -@Inherited -@InterceptorBinding -@Target({METHOD, TYPE}) -@Retention(RUNTIME) -public @interface Cors { -} diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowMethods.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowMethods.java new file mode 100644 index 0000000..364dd5f --- /dev/null +++ b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowMethods.java @@ -0,0 +1,26 @@ +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ +package org.demoiselle.jee.ws.jaxrs.annotation; + +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.TYPE; +import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import static java.lang.annotation.RetentionPolicy.RUNTIME; +import java.lang.annotation.Target; +import javax.enterprise.util.Nonbinding; +import javax.interceptor.InterceptorBinding; + +/** + * + * @author 70744416353 + */ +@Inherited +@InterceptorBinding +@Target({METHOD, TYPE}) +@Retention(RUNTIME) +public @interface CorsAllowMethods { +} diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowOrigin.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowOrigin.java new file mode 100644 index 0000000..7acea38 --- /dev/null +++ b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsAllowOrigin.java @@ -0,0 +1,29 @@ +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ +package org.demoiselle.jee.ws.jaxrs.annotation; + +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.TYPE; +import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import static java.lang.annotation.RetentionPolicy.RUNTIME; +import java.lang.annotation.Target; +import javax.enterprise.util.Nonbinding; +import javax.interceptor.InterceptorBinding; + +/** + * + * @author 70744416353 + */ +@Inherited +@InterceptorBinding +@Target({METHOD, TYPE}) +@Retention(RUNTIME) +public @interface CorsAllowOrigin { + + @Nonbinding + String value() default "*"; +} diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsMaxAge.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsMaxAge.java new file mode 100644 index 0000000..d1a332c --- /dev/null +++ b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/annotation/CorsMaxAge.java @@ -0,0 +1,29 @@ +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ +package org.demoiselle.jee.ws.jaxrs.annotation; + +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.TYPE; +import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import static java.lang.annotation.RetentionPolicy.RUNTIME; +import java.lang.annotation.Target; +import javax.enterprise.util.Nonbinding; +import javax.interceptor.InterceptorBinding; + +/** + * + * @author 70744416353 + */ +@Inherited +@InterceptorBinding +@Target({METHOD, TYPE}) +@Retention(RUNTIME) +public @interface CorsMaxAge { + + @Nonbinding + String value() default "0"; +} diff --git a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/filter/JaxRsFilter.java b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/filter/JaxRsFilter.java index 332db06..c8cb381 100644 --- a/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/filter/JaxRsFilter.java +++ b/demoiselle-rest/src/main/java/org/demoiselle/jee/ws/jaxrs/filter/JaxRsFilter.java @@ -18,7 +18,8 @@ import javax.ws.rs.container.ResourceInfo; import javax.ws.rs.core.Context; import javax.ws.rs.ext.Provider; import org.demoiselle.jee.ws.jaxrs.annotation.Cache; -import org.demoiselle.jee.ws.jaxrs.annotation.Cors; +import org.demoiselle.jee.ws.jaxrs.annotation.CorsAllowMethods; +import org.demoiselle.jee.ws.jaxrs.annotation.CorsAllowOrigin; /** * @@ -41,22 +42,25 @@ public class JaxRsFilter implements ContainerRequestFilter, ContainerResponseFil @Override public void filter(ContainerRequestContext requestContext, ContainerResponseContext response) { + response.getHeaders().putSingle("Demoiselle", "3.0.0"); + if (requestContext.getMethod().equals("GET")) { Cache max = info.getResourceMethod().getAnnotation(Cache.class); if (max != null) { response.getHeaders().putSingle("Cache-Control", max.value()); } } - -// Cors cors = info.getResourceMethod().getAnnotation(Cors.class); -// if (cors != null) { -// response.getHeaders().putSingle("Cache-Control", max.value()); -// } - response.getHeaders().putSingle("Demoiselle", "3.0.0"); - response.getHeaders().putSingle("Access-Control-Allow-Origin", "*"); - response.getHeaders().putSingle("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, DELETE"); - response.getHeaders().putSingle("Access-Control-Allow-Headers", "Content-Type"); + CorsAllowMethods corsAllowMethods = info.getResourceMethod().getAnnotation(CorsAllowMethods.class); + if (corsAllowMethods != null) { + response.getHeaders().putSingle("Access-Control-Allow-Methods", requestContext.getMethod()); + } + + CorsAllowOrigin corsAllowOrigin = info.getResourceMethod().getAnnotation(CorsAllowOrigin.class); + if (corsAllowOrigin != null) { + response.getHeaders().putSingle("Access-Control-Allow-Origin", corsAllowOrigin.value()); + } + } @PostConstruct diff --git a/demoiselle-security/src/main/java/org/demoiselle/jee/security/filter/JaxRsFilter.java b/demoiselle-security/src/main/java/org/demoiselle/jee/security/filter/JaxRsFilter.java index 6eda878..f3bdd0a 100644 --- a/demoiselle-security/src/main/java/org/demoiselle/jee/security/filter/JaxRsFilter.java +++ b/demoiselle-security/src/main/java/org/demoiselle/jee/security/filter/JaxRsFilter.java @@ -44,6 +44,9 @@ public class JaxRsFilter implements ClientRequestFilter, ClientResponseFilter, C @Override public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) { + responseContext.getHeaders().putSingle("Access-Control-Allow-Headers", "Authorization"); + responseContext.getHeaders().putSingle("Access-Control-Allow-Credentials", "true"); + responseContext.getHeaders().putSingle("Authorization", "enabled"); responseContext.getHeaders().putSingle("x-content-type-options", "nosniff"); responseContext.getHeaders().putSingle("x-frame-options", "SAMEORIGIN"); -- libgit2 0.21.2