|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.web.header.writers.HstsHeaderWriter
public final class HstsHeaderWriter
Provides support for HTTP Strict Transport Security (HSTS).
By default the expiration is one year and subdomains will be included. This
can be customized using setMaxAgeInSeconds(long)
and
setIncludeSubDomains(boolean)
respectively.
Since section
7.2 states that HSTS Host MUST NOT include the STS header in HTTP
responses, the default behavior is that the "Strict-Transport-Security" will
only be added when ServletRequest.isSecure()
returns true
. At times this may need to be customized. For example, in some situations
where SSL termination is used, something else may be used to determine if SSL
was used. For these circumstances, setRequestMatcher(RequestMatcher)
can be invoked with a custom RequestMatcher
.
Constructor Summary | |
---|---|
HstsHeaderWriter()
Creates a new instance |
|
HstsHeaderWriter(boolean includeSubDomains)
Creates a new instance |
|
HstsHeaderWriter(long maxAgeInSeconds)
Creates a new instance |
|
HstsHeaderWriter(long maxAgeInSeconds,
boolean includeSubDomains)
Creates a new instance |
|
HstsHeaderWriter(RequestMatcher requestMatcher,
long maxAgeInSeconds,
boolean includeSubDomains)
Creates a new instance |
Method Summary | |
---|---|
void |
setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too. |
void |
setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. |
void |
setRequestMatcher(RequestMatcher requestMatcher)
Sets the RequestMatcher used to determine if the
"Strict-Transport-Security" should be added. |
void |
writeHeaders(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Create a Header instance. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public HstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains)
requestMatcher
- maps to setRequestMatcher(RequestMatcher)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter(long maxAgeInSeconds)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
public HstsHeaderWriter(boolean includeSubDomains)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter()
Method Detail |
---|
public void writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
HeaderWriter
Header
instance.
writeHeaders
in interface HeaderWriter
request
- the requestresponse
- the responsepublic void setRequestMatcher(RequestMatcher requestMatcher)
RequestMatcher
used to determine if the
"Strict-Transport-Security" should be added. If true the header is added,
else the header is not added. By default the header is added when
ServletRequest.isSecure()
returns true.
requestMatcher
- the RequestMatcher
to use.
IllegalArgumentException
- if RequestMatcher
is nullpublic void setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.
This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.
maxAgeInSeconds
- the maximum amount of time (in seconds) to consider this
domain as a known HSTS Host.
IllegalArgumentException
- if maxAgeInSeconds is negativepublic void setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too. The default is true.
See Section 6.1.2 for additional details.
includeSubDomains
- true to include subdomains, else false
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |