org.springframework.security.web.header.writers
Class HstsHeaderWriter

java.lang.Object
  extended by org.springframework.security.web.header.writers.HstsHeaderWriter
All Implemented Interfaces:
HeaderWriter

public final class HstsHeaderWriter
extends Object
implements HeaderWriter

Provides support for HTTP Strict Transport Security (HSTS).

By default the expiration is one year and subdomains will be included. This can be customized using setMaxAgeInSeconds(long) and setIncludeSubDomains(boolean) respectively.

Since section 7.2 states that HSTS Host MUST NOT include the STS header in HTTP responses, the default behavior is that the "Strict-Transport-Security" will only be added when ServletRequest.isSecure() returns true . At times this may need to be customized. For example, in some situations where SSL termination is used, something else may be used to determine if SSL was used. For these circumstances, setRequestMatcher(RequestMatcher) can be invoked with a custom RequestMatcher.

Since:
3.2

Constructor Summary
HstsHeaderWriter()
          Creates a new instance
HstsHeaderWriter(boolean includeSubDomains)
          Creates a new instance
HstsHeaderWriter(long maxAgeInSeconds)
          Creates a new instance
HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains)
          Creates a new instance
HstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains)
          Creates a new instance
 
Method Summary
 void setIncludeSubDomains(boolean includeSubDomains)
           If true, subdomains should be considered HSTS Hosts too.
 void setMaxAgeInSeconds(long maxAgeInSeconds)
           Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header.
 void setRequestMatcher(RequestMatcher requestMatcher)
          Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added.
 void writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Create a Header instance.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

HstsHeaderWriter

public HstsHeaderWriter(RequestMatcher requestMatcher,
                        long maxAgeInSeconds,
                        boolean includeSubDomains)
Creates a new instance

Parameters:
requestMatcher - maps to setRequestMatcher(RequestMatcher)
maxAgeInSeconds - maps to setMaxAgeInSeconds(long)
includeSubDomains - maps to setIncludeSubDomains(boolean)

HstsHeaderWriter

public HstsHeaderWriter(long maxAgeInSeconds,
                        boolean includeSubDomains)
Creates a new instance

Parameters:
maxAgeInSeconds - maps to setMaxAgeInSeconds(long)
includeSubDomains - maps to setIncludeSubDomains(boolean)

HstsHeaderWriter

public HstsHeaderWriter(long maxAgeInSeconds)
Creates a new instance

Parameters:
maxAgeInSeconds - maps to setMaxAgeInSeconds(long)

HstsHeaderWriter

public HstsHeaderWriter(boolean includeSubDomains)
Creates a new instance

Parameters:
includeSubDomains - maps to setIncludeSubDomains(boolean)

HstsHeaderWriter

public HstsHeaderWriter()
Creates a new instance

Method Detail

writeHeaders

public void writeHeaders(javax.servlet.http.HttpServletRequest request,
                         javax.servlet.http.HttpServletResponse response)
Description copied from interface: HeaderWriter
Create a Header instance.

Specified by:
writeHeaders in interface HeaderWriter
Parameters:
request - the request
response - the response

setRequestMatcher

public void setRequestMatcher(RequestMatcher requestMatcher)
Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added. If true the header is added, else the header is not added. By default the header is added when ServletRequest.isSecure() returns true.

Parameters:
requestMatcher - the RequestMatcher to use.
Throws:
IllegalArgumentException - if RequestMatcher is null

setMaxAgeInSeconds

public void setMaxAgeInSeconds(long maxAgeInSeconds)

Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.

This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.

Parameters:
maxAgeInSeconds - the maximum amount of time (in seconds) to consider this domain as a known HSTS Host.
Throws:
IllegalArgumentException - if maxAgeInSeconds is negative

setIncludeSubDomains

public void setIncludeSubDomains(boolean includeSubDomains)

If true, subdomains should be considered HSTS Hosts too. The default is true.

See Section 6.1.2 for additional details.

Parameters:
includeSubDomains - true to include subdomains, else false