Add preload support to Strict-Transport-Security

1. Preload support in Servlet Security(XML & Java) 2. Preload support in Reactive Security 3. Test for preload support in Servlet Security 4. Test for preload support in Reactive Security Fixes: spring-projectsgh-6312
ankurpathak · Jan 9, 2019 · 3fcc95d · 3fcc95d
1 parent be23ab8
commit 3fcc95d
Show file tree

Hide file tree

Showing 13 changed files with 3,857 additions and 18 deletions.
diff --git a/...ava/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/...ava/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -379,6 +379,25 @@ public HstsConfig includeSubDomains(boolean includeSubDomains) {
 			return this;
 		}
 
+		/**
+		 * <p>
+		 * If true, preload will be included in HSTS Header. The default is false.
+		 * </p>
+		 *
+		 * <p>
+		 * See <a href="https://hstspreload.org/">Website hstspreload.org</a>
+		 * for additional details.
+		 * </p>
+		 *
+		 * @param preload true to include preload, else false
+		 * @since 5.2.0
+		 * @author Ankur Pathak
+		 */
+		public HstsConfig preload(boolean preload) {
+			writer.setPreload(preload);
+			return this;
+		}
+
 		/**
 		 * Disables Strict Transport Security
 		 *

diff --git a/...g/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java b/...g/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
@@ -68,6 +68,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
 	private static final String ATT_INCLUDE_SUBDOMAINS = "include-subdomains";
 	private static final String ATT_MAX_AGE_SECONDS = "max-age-seconds";
 	private static final String ATT_REQUEST_MATCHER_REF = "request-matcher-ref";
+	private static final String ATT_PRELOAD = "preload";
 	private static final String ATT_REPORT_ONLY = "report-only";
 	private static final String ATT_REPORT_URI = "report-uri";
 	private static final String ATT_ALGORITHM = "algorithm";
@@ -194,6 +195,14 @@ private void addHsts(boolean addIfNotPresent, Element hstsElement,
 				}
 				headersWriter.addPropertyReference("requestMatcher", requestMatcherRef);
 			}
+			String preload = hstsElement.getAttribute(ATT_PRELOAD);
+			if (StringUtils.hasText(preload)) {
+				if (disabled) {
+					attrNotAllowed(context, ATT_PRELOAD, ATT_DISABLED,
+							hstsElement);
+				}
+				headersWriter.addPropertyValue("preload", preload);
+			}
 
 			if (disabled == true) {
 				return;

diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -2367,6 +2367,26 @@ public HstsSpec includeSubdomains(boolean includeSubDomains) {
 				return this;
 			}
 
+			/**
+			 * <p>
+			 * Configures if preload should be included. Default is false
+			 * </p>
+			 *
+			 * <p>
+			 * See <a href="https://hstspreload.org/">Website hstspreload.org</a>
+			 * for additional details.
+			 * </p>
+			 *
+			 * @param preload if subdomains should be included
+			 * @return the {@link HstsSpec} to continue configuring
+			 * @since 5.2.0
+			 * @author Ankur Pathak
+			 */
+			public HstsSpec preload(boolean preload) {
+				HeaderSpec.this.hsts.setPreload(preload);
+				return this;
+			}
+
 			/**
 			 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 			 * @return the {@link HeaderSpec} to continue configuring

diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.2.rnc