spring-projects · rwinch · Jul 12, 2019 · Jun 19, 2019 · Jun 19, 2019 · Jun 19, 2019
diff --git a/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
diff --git a/...ava/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/...ava/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,13 +23,16 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.header.writers.*;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
+import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -121,6 +124,26 @@ public ContentTypeOptionsConfig contentTypeOptions() {
 		return contentTypeOptions.enable();
 	}
 
+	/**
+	 * Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the <a href=
+	 * "https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
+	 * >X-Content-Type-Options</a>:
+	 *
+	 * <pre>
+	 * X-Content-Type-Options: nosniff
+	 * </pre>
+	 *
+	 * @param contentTypeOptionsCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ContentTypeOptionsConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> contentTypeOptions(Customizer<ContentTypeOptionsConfig> contentTypeOptionsCustomizer)
+			throws Exception {
+		contentTypeOptionsCustomizer.customize(contentTypeOptions.enable());
+		return HeadersConfigurer.this;
+	}
+
 	public final class ContentTypeOptionsConfig {
 		private XContentTypeOptionsHeaderWriter writer;
 
@@ -174,6 +197,25 @@ public XXssConfig xssProtection() {
 		return xssProtection.enable();
 	}
 
+	/**
+	 * <strong>Note this is not comprehensive XSS protection!</strong>
+	 *
+	 * <p>
+	 * Allows customizing the {@link XXssProtectionHeaderWriter} which adds the <a href=
+	 * "https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx"
+	 * >X-XSS-Protection header</a>
+	 * </p>
+	 *
+	 * @param xssCustomizer the {@link Customizer} to provide more options for
+	 * the {@link XXssConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> xssProtection(Customizer<XXssConfig> xssCustomizer) throws Exception {
+		xssCustomizer.customize(xssProtection.enable());
+		return HeadersConfigurer.this;
+	}
+
 	public final class XXssConfig {
 		private XXssProtectionHeaderWriter writer;
 
@@ -268,6 +310,26 @@ public CacheControlConfig cacheControl() {
 		return cacheControl.enable();
 	}
 
+	/**
+	 * Allows customizing the {@link CacheControlHeadersWriter}. Specifically it adds the
+	 * following headers:
+	 * <ul>
+	 * <li>Cache-Control: no-cache, no-store, max-age=0, must-revalidate</li>
+	 * <li>Pragma: no-cache</li>
+	 * <li>Expires: 0</li>
+	 * </ul>
+	 *
+	 * @param cacheControlCustomizer the {@link Customizer} to provide more options for
+	 * the {@link CacheControlConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> cacheControl(Customizer<CacheControlConfig> cacheControlCustomizer) throws Exception {
+		cacheControlCustomizer.customize(cacheControl.enable());
+		return HeadersConfigurer.this;
+	}
+
+
 	public final class CacheControlConfig {
 		private CacheControlHeadersWriter writer;
 
@@ -319,6 +381,21 @@ public HstsConfig httpStrictTransportSecurity() {
 		return hsts.enable();
 	}
 
+	/**
+	 * Allows customizing the {@link HstsHeaderWriter} which provides support for <a
+	 * href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
+	 * (HSTS)</a>.
+	 *
+	 * @param hstsCustomizer the {@link Customizer} to provide more options for
+	 * the {@link HstsConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HstsConfig> hstsCustomizer) throws Exception {
+		hstsCustomizer.customize(hsts.enable());
+		return HeadersConfigurer.this;
+	}
+
 	public final class HstsConfig {
 		private HstsHeaderWriter writer;
 
@@ -440,6 +517,19 @@ public FrameOptionsConfig frameOptions() {
 		return frameOptions.enable();
 	}
 
+	/**
+	 * Allows customizing the {@link XFrameOptionsHeaderWriter}.
+	 *
+	 * @param frameOptionsCustomizer the {@link Customizer} to provide more options for
+	 * the {@link FrameOptionsConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> frameOptions(Customizer<FrameOptionsConfig> frameOptionsCustomizer) throws Exception {
+		frameOptionsCustomizer.customize(frameOptions.enable());
+		return HeadersConfigurer.this;
+	}
+
 	public final class FrameOptionsConfig {
 		private XFrameOptionsHeaderWriter writer;
 
@@ -516,6 +606,20 @@ public HpkpConfig httpPublicKeyPinning() {
 		return hpkp.enable();
 	}
 
+	/**
+	 * Allows customizing the {@link HpkpHeaderWriter} which provides support for <a
+	 * href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
+	 *
+	 * @param hpkpCustomizer the {@link Customizer} to provide more options for
+	 * the {@link HpkpConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HpkpConfig> hpkpCustomizer) throws Exception {
+		hpkpCustomizer.customize(hpkp.enable());
+		return HeadersConfigurer.this;
+	}
+
 	public final class HpkpConfig {
 		private HpkpHeaderWriter writer;
 
@@ -713,12 +817,57 @@ public ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives
 		return contentSecurityPolicy;
 	}
 
+	/**
+	 * <p>
+	 * Allows configuration for <a href="https://www.w3.org/TR/CSP2/">Content Security Policy (CSP) Level 2</a>.
+	 * </p>
+	 *
+	 * <p>
+	 * Calling this method automatically enables (includes) the Content-Security-Policy header in the response
+	 * using the supplied security policy directive(s).
+	 * </p>
+	 *
+	 * <p>
+	 * Configuration is provided to the {@link ContentSecurityPolicyHeaderWriter} which supports the writing
+	 * of the two headers as detailed in the W3C Candidate Recommendation:
+	 * </p>
+	 * <ul>
+	 * 	<li>Content-Security-Policy</li>
+	 * 	<li>Content-Security-Policy-Report-Only</li>
+	 * </ul>
+	 *
+	 * @see ContentSecurityPolicyHeaderWriter
+	 * @param contentSecurityCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ContentSecurityPolicyConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> contentSecurityPolicy(Customizer<ContentSecurityPolicyConfig> contentSecurityCustomizer)
+			throws Exception {
+		this.contentSecurityPolicy.writer = new ContentSecurityPolicyHeaderWriter();
+		contentSecurityCustomizer.customize(this.contentSecurityPolicy);
+
+		return HeadersConfigurer.this;
+	}
+
 	public final class ContentSecurityPolicyConfig {
 		private ContentSecurityPolicyHeaderWriter writer;
 
 		private ContentSecurityPolicyConfig() {
 		}
 
+		/**
+		 * Sets the security policy directive(s) to be used in the response header.
+		 *
+		 * @param policyDirectives the security policy directive(s)
+		 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if policyDirectives is null or empty
+		 */
+		public ContentSecurityPolicyConfig policyDirectives(String policyDirectives) {
+			this.writer.setPolicyDirectives(policyDirectives);
+			return this;
+		}
+
 		/**
 		 * Enables (includes) the Content-Security-Policy-Report-Only header in the response.
 		 *
@@ -860,13 +1009,50 @@ public ReferrerPolicyConfig referrerPolicy(ReferrerPolicy policy) {
 		return this.referrerPolicy;
 	}
 
+	/**
+	 * <p>
+	 * Allows configuration for <a href="https://www.w3.org/TR/referrer-policy/">Referrer Policy</a>.
+	 * </p>
+	 *
+	 * <p>
+	 * Configuration is provided to the {@link ReferrerPolicyHeaderWriter} which support the writing
+	 * of the header as detailed in the W3C Technical Report:
+	 * </p>
+	 * <ul>
+	 *  <li>Referrer-Policy</li>
+	 * </ul>
+	 *
+	 * @see ReferrerPolicyHeaderWriter
+	 * @param referrerPolicyCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ReferrerPolicyConfig}
+	 * @return the {@link HeadersConfigurer} for additional customizations
+	 * @throws Exception
+	 */
+	public HeadersConfigurer<H> referrerPolicy(Customizer<ReferrerPolicyConfig> referrerPolicyCustomizer) throws Exception {
+		this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter();
+		referrerPolicyCustomizer.customize(this.referrerPolicy);
+		return HeadersConfigurer.this;
+	}
+
 	public final class ReferrerPolicyConfig {
 
 		private ReferrerPolicyHeaderWriter writer;
 
 		private ReferrerPolicyConfig() {
 		}
 
+		/**
+		 * Sets the policy to be used in the response header.
+		 *
+		 * @param policy a referrer policy
+		 * @return the {@link ReferrerPolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if policy is null
+		 */
+		public ReferrerPolicyConfig policy(ReferrerPolicy policy) {
+			this.writer.setPolicy(policy);
+			return this;
+		}
+
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}

diff --git a/...ringframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/...ringframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -26,6 +26,7 @@
 import org.springframework.context.event.GenericApplicationListenerAdapter;
 import org.springframework.context.event.SmartApplicationListener;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -249,6 +250,19 @@ public SessionFixationConfigurer sessionFixation() {
 		return new SessionFixationConfigurer();
 	}
 
+	/**
+	 * Allows configuring session fixation protection.
+	 *
+	 * @param sessionFixationCustomizer the {@link Customizer} to provide more options for
+	 * the {@link SessionFixationConfigurer}
+	 * @return the {@link SessionManagementConfigurer} for further customizations
+	 */
+	public SessionManagementConfigurer<H> sessionFixation(Customizer<SessionFixationConfigurer> sessionFixationCustomizer)
+			throws Exception {
+		sessionFixationCustomizer.customize(new SessionFixationConfigurer());
+		return this;
+	}
+
 	/**
 	 * Controls the maximum number of sessions for a user. The default is to allow any
 	 * number of users.
@@ -260,6 +274,20 @@ public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
 		return new ConcurrencyControlConfigurer();
 	}
 
+	/**
+	 * Controls the maximum number of sessions for a user. The default is to allow any
+	 * number of users.
+	 *
+	 * @param sessionConcurrencyCustomizer the {@link Customizer} to provide more options for
+	 * the {@link ConcurrencyControlConfigurer}
+	 * @return the {@link SessionManagementConfigurer} for further customizations
+	 */
+	public SessionManagementConfigurer<H> sessionConcurrency(Customizer<ConcurrencyControlConfigurer> sessionConcurrencyCustomizer)
+			throws Exception {
+		sessionConcurrencyCustomizer.customize(new ConcurrencyControlConfigurer());
+		return this;
+	}
+
 	/**
 	 * Invokes {@link #postProcess(Object)} and sets the
 	 * {@link SessionAuthenticationStrategy} for session fixation.
@@ -338,6 +366,18 @@ public SessionManagementConfigurer<H> none() {
 	 */
 	public final class ConcurrencyControlConfigurer {
 
+		/**
+		 * Controls the maximum number of sessions for a user. The default is to allow any
+		 * number of users.
+		 *
+		 * @param maximumSessions the maximum number of sessions for a user
+		 * @return the {@link ConcurrencyControlConfigurer} for further customizations
+		 */
+		public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
+			SessionManagementConfigurer.this.maximumSessions = maximumSessions;
+			return this;
+		}
+
 		/**
 		 * The URL to redirect to if a user tries to access a resource and their session
 		 * has been expired due to too many sessions for the current user. The default is

diff --git a/...work/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java b/...work/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
@@ -135,6 +136,20 @@ public AuthorizationCodeGrantConfigurer authorizationCodeGrant() {
 		return this.authorizationCodeGrantConfigurer;
 	}
 
+	/**
+	 * Configures the OAuth 2.0 Authorization Code Grant.
+	 *
+	 * @param authorizationCodeGrantCustomizer the {@link Customizer} to provide more options for
+	 * the {@link AuthorizationCodeGrantConfigurer}
+	 * @return the {@link OAuth2ClientConfigurer} for further customizations
+	 * @throws Exception
+	 */
+	public OAuth2ClientConfigurer<B> authorizationCodeGrant(Customizer<AuthorizationCodeGrantConfigurer> authorizationCodeGrantCustomizer)
+			throws Exception {
+		authorizationCodeGrantCustomizer.customize(this.authorizationCodeGrantConfigurer);
+		return this;
+	}
+
 	/**
 	 * Configuration options for the OAuth 2.0 Authorization Code Grant.
 	 */