SEC-2348: Security HTTP Response Headers enabled by default w/ XML

Author: Rob Winch

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -196,7 +196,7 @@ private boolean namespaceMatchesVersion(Element element) {
 
  private boolean matchesVersionInternal(Element element) {
  String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
- return schemaLocation.matches("(?m).*spring-security-3\\.2.*.xsd.*")
+ return schemaLocation.matches("(?m).*spring-security-4\\.0.*.xsd.*")
  || schemaLocation.matches("(?m).*spring-security.xsd.*")
  || !schemaLocation.matches("(?m).*spring-security.*");
  }

config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java

@@ -80,14 +80,24 @@ public BeanDefinition parse(Element element, ParserContext parserContext) {
  headerWriters = new ManagedList<BeanMetadataElement>();
  BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(HeaderWriterFilter.class);
 
- parseCacheControlElement(element);
- parseHstsElement(element);
- parseXssElement(element, parserContext);
- parseFrameOptionsElement(element, parserContext);
- parseContentTypeOptionsElement(element);
+ if(element != null) {
 
- parseHeaderElements(element);
+ parseCacheControlElement(element);
+ parseHstsElement(element);
+ parseXssElement(element, parserContext);
+ parseFrameOptionsElement(element, parserContext);
+ parseContentTypeOptionsElement(element);
 
+ parseHeaderElements(element);
+ }
+
+ boolean disabled = element != null && "true".equals(element.getAttribute("disabled"));
+ if(disabled) {
+ if(!headerWriters.isEmpty()) {
+ parserContext.getReaderContext().error("Cannot specify <headers disabled=\"true\"> with child elements.", element);
+ }
+ return null;
+ }
  if(headerWriters.isEmpty()) {
  addCacheControl();
  addHsts(null);

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -638,9 +638,7 @@ private void createFilterSecurityInterceptor(BeanReference authManager) {
 
  private void createAddHeadersFilter() {
  Element elmt = DomUtils.getChildElementByTagName(httpElt, Elements.HEADERS);
- if (elmt != null) {
- this.addHeadersFilter = new HeadersBeanDefinitionParser().parse(elmt, pc);
- }
+ this.addHeadersFilter = new HeadersBeanDefinitionParser().parse(elmt, pc);
 
  }
 

config/src/main/resources/META-INF/spring.schemas

@@ -1,4 +1,5 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.2.xsd
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-4.0.xsd
+http\://www.springframework.org/schema/security/spring-security-4.0.xsd=org/springframework/security/config/spring-security-4.0.xsd
 http\://www.springframework.org/schema/security/spring-security-3.2.xsd=org/springframework/security/config/spring-security-3.2.xsd
 http\://www.springframework.org/schema/security/spring-security-3.1.xsd=org/springframework/security/config/spring-security-3.1.xsd
 http\://www.springframework.org/schema/security/spring-security-3.0.3.xsd=org/springframework/security/config/spring-security-3.0.3.xsd