I was going through different solutions available for preventing clickjacking in a grails application. One of the solutions was using X-Frame. So, I found a grails plugin, X-Frame-Options Plugin, by mrhaki.
It is serving my purpose of adding a response header
X-Frame:DENY
to every response. Great!
I read there was a modern solution - Content-Security-Policy header. I'm unable to configure this for my Grails application. Could someone help?
The X-Frame-Options plugin is simple and inserts a servlet filter to add a header to requests. For your situation I'd recommend creating your own servlet filter to add the Content-Security-Policy headers.
You can see an example here of how to add a header:
https://github.com/mrhaki/grails-x-frame-options-plugin/blob/df230a9f01cd2e1c6ac4be6d9eac41fbcae48293/src/main/groovy/com/mrhaki/grails/plugin/xframeoptions/web/XFrameOptionsFilter.groovy#L69
Another option would be to use your web server infront of your app (apache httpd or nginx) to add the headers.
Related
Setup:
I am using the Java library springdoc-openapi-ui in version 1.4.0 (via Maven) without any customization in a simple spring-boot project.
The Swagger page is generated under
https://my-url.com/my-context-path/swagger-ui/index.html
and the api-docs under
https://my-url.com/my-context-path/v3/api-docs/
both of these work and I can reach them. So far so good!
Now the problem:
When simply navigating to https://my-url.com/my-context-path/swagger-ui.html I am getting a HTTP Status 302 and a location attribute set in the response header that is supposed to redirect me to the swagger page from above (I assume).
However, the URL in the location attribute misses the context path! It looks like this:
https://my-url.com/swagger-ui/index.html?configUrl=/v3/api-docs/swagger-config
It redirects to a page that does not exist and I am getting a 404 error code. Note, that the configUrl also seems to be missing the context-path.
Any ideas why this occurs and how it can be fixed?
This Github Issue seemed to be the same problem, but in the end it is stated that the problem is fixed: https://github.com/springdoc/springdoc-openapi/issues/37 and that is for a previous version than mine.
Okay so the issue is that springdoc-openapi-ui is unaware of your app context path unless it is defined in spring boot, which may not be possible for everybody.
Hopefull it does support the non-standard header X-Forwarded-Prefix that can be sent by your gateway.
I my case (Kubernetes), the Ingress can be configured in your chart by simply adding nginx.ingress.kubernetes.io/x-forwarded-prefix: "true"
And in your application config you also need to specify
server:
forward-headers-strategy: framework
to use Spring's support for handling forwarded headers.
Sources:
https://github.com/kubernetes/ingress-nginx/issues/3670
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#x-forwarded-prefix-header
https://github.com/springdoc/springdoc-openapi/issues/607
There are no know issues about context-path usage. As you can #37 is resolved and that reported it has confirmed that!
Just make sure you follow the instructions of setting context-path on standard spring-boot application.
You can test the configuration of your context path, in the different demos samples:
https://github.com/springdoc/springdoc-openapi-demos
If you have any problem, you can log an issue by provinding a minimal/reproducible sample or with unit tests that reproduces the problem.
In order to configure a swagger-ui correctly when an external context-path is configured use the follow configuration.
springdoc.swagger-ui.config-url=/context-path/api-docs/swagger-config
springdoc.swagger-ui.url=/context-path/api-docs
springdoc.api-docs.path=/api-docs
I am using the Grails Security Plugin im my application and I appreciate it really.
Spring security automatically adds several headers to the https responses in order to avoid the caching of sensitive pages in the browser cache. I would like to disable that for non confidential informations like, for instance, fonts.
Native Spring security allows that through the <http>, <headers> and <cache-control disabled="true"> configuration elements.
While that would be simple with an XML config, I can't figure out the way to add the equivalent of to the configuration of the security plugin. Any hints?
I am using Grails 3.2.9, and security plugin 3.1.1.
I installed TFS 2017 to be accessible on both, HTTP (port 8080, default settings) and HTTPS. Now I removed HTTP binding form the IIS and reapplied the Public URL (via Administration Console -> Change Public URL).
Most of the TFS application tier works normally (as it uses relative addressing). However, build extensions somehow want to get their icons from HTTP (port 8080). See screenshot. When I noticed this, I first checked the HTML/JS source and I found that _vssPageContext variable still holds some URLs pointing to old HTTP configuration.
Has anyone solved that mistery or has any idea what to do?
EDIT: Later I re-enabled the HTTP bindings in IIS just to make the TFS work and I get a lot of warnings and errors due to HTTP / HTTPS mixup (I access TFS via HTTPS, however some content is still accessed via HTTP):
Mixed Content: The page at
'https://xxxx.xxxxx.xxxx/tfs/TFSDefault/Project/_build/definitionEditor?definitionId=113&_a=simple-process'
was loaded over HTTPS, but requested an insecure image
'http://xxxx.xxxxx.xxxx:8080/tfs/TFSDefault/_apis/distributedtask/tasks/9fcb05af-0ffe-4687-99f2-99821aad927e/0.1.1305/icon'.
This content should also be served over HTTPS.
WebSocket connection to
'ws://xxxx.xxxxx.xxxx:8080/tfs/signalr/connect?transport=webSockets&clientProtocol=1.5&contextToken=412c3608-de3b-4dab-a00d-bf5c13728d97&connectionToken=OoSymcl1qzWg%2BrHB9pzSBpb%2BdHVywo7NNUWN5xMx3Z51p9ZdZQ14wvoQKXqxB%2Bvo66eTap4iUdlqzHR1hJNUf%2By8oFUaudlkCbQIZjHQhLBHsEWtcLdfLlL7MAevl4h0My1yQA%3D%3D&connectionData=%5B%7B%22name%22%3A%22builddetailhub%22%7D%5D&tid=7'
failed: HTTP Authentication failed; no valid credentials available.
This is an issue related to the default endpoint of TFS being initially set as http, which all the elements are then defaulting their requests to, rather than relying on the initial request you are making in the browser. so you end up with a javascript element attempting to connect to the server via http and get a cross content issue.
Here is a really good article that covers the issues you are probably facing and how to fix them to use https: https://hybriddbablog.com/2017/12/16/changing-tfs-to-use-https-update-your-agent-settings-too/
I have to caveat that I havent done this yet, we actually went back in favour of running http until we moved to the next version of TFS, but from my experience of TFS, the steps look sound.
We've developed a Grails application that uses redirects.
Beacuse of external reasons, we are just recently using reverse-proxy, to split some traffic to domains:
From:
demo1.company.local (the server itself)
To:
tomcat.company.local (for all java applications, including our grails app)
lotus.company.local (for all Domino applications)
Since tomcat is only configured in the hosts file on the demo1 server, the redirects do not work when I access the application from anywhere else then the demo1 server itself.
I've tried to solve this using "absolute" and/or "base" parameter in Grails' redirect(), but if I understand correctly, this is Grails 2+ only and we're using Grails 1.3.4.
Are there other ways to redirect to a specified host?
Am I misusing things?
Thanks,
Bram
If you define grails.serverURL in Config.groovy, redirects with absolute:true will use that value for the URL.
in a struts application, I have a filter that forces certain pages to be accessed only over https via redirection. I'm thinking in porting it to grails so my question is: In the this environment, is there a "grails" way to implement such filter or is it similar/the same as I did ? Thanks
The Spring Security core plugin has support for this. See section 17 - "Channel security"