Class ConfluenceHttpHeaderSecurityFilter

  • All Implemented Interfaces:
    javax.servlet.Filter

    public class ConfluenceHttpHeaderSecurityFilter
    extends org.apache.catalina.filters.HttpHeaderSecurityFilter
    Wrapper class for Apache's HttpHeaderSecurityFilter.

    Previously customers were instructed to add HSTS headers by configuring the filter at the global tomcat conf/web.xml. This no longer works as ServletFilters enum uses java configuration of Filter(s), with filters being migrated from web.xml.

    However, order of execution between Java configuration vs web.xml is something we should not rely on. This unreliable order of execution led to VULN-1033847.

    Resolved by migrating HttpHeaderSecurity to java config, with an option to enable and disable via sys-props.

    • Field Detail

      • HTTP_HEADER_SECURITY_DISABLED_SYSTEM_PROPERTY

        public static final String HTTP_HEADER_SECURITY_DISABLED_SYSTEM_PROPERTY
        See Also:
        Constant Field Values
      • HTTP_HEADER_SECURITY_HSTS_PRELOAD_ENABLED

        public static final String HTTP_HEADER_SECURITY_HSTS_PRELOAD_ENABLED
        See Also:
        Constant Field Values
      • HTTP_HEADER_SECURITY_HSTS_INCLUDE_SUB_DOMAINS

        public static final String HTTP_HEADER_SECURITY_HSTS_INCLUDE_SUB_DOMAINS
        See Also:
        Constant Field Values
      • DEFAULT_HSTS_MAX_AGE_SECONDS

        public static final int DEFAULT_HSTS_MAX_AGE_SECONDS
        See Also:
        Constant Field Values
    • Constructor Detail

      • ConfluenceHttpHeaderSecurityFilter

        public ConfluenceHttpHeaderSecurityFilter()
    • Method Detail

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                             javax.servlet.ServletResponse response,
                             javax.servlet.FilterChain chain)
                      throws IOException,
                             javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Overrides:
        doFilter in class org.apache.catalina.filters.HttpHeaderSecurityFilter
        Throws:
        IOException
        javax.servlet.ServletException