Additional Embedded Tomcat Config Settings

[mggardiner]

I am looking to add some additional security related configuration settings to the Apereo CAS Server 5.1.3 via the Maven Apero CAS Server overlay template.  I see where a lot of the Tomcat / Embedded servlet container settings are available via properties but some are not (as far as I can see).

Specifically I would like to add the server.xml equivalent listeners in embedded Tomcat:

<Server port="@tomcat.shutdown.port@" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="ec2-user" minimumUmask="" />

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

<Listener className="org.apache.catalina.core.JasperListener" />

<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />

<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

And the equivalent in the global web.xml:

<filter>

      <filter-name>httpHeaderSecurity</filter-name>

      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

      <init-param>

          <param-name>hstsEnabled</param-name>

          <param-value>false</param-value>

      </init-param>

      <init-param>

          <param-name>blockContentTypeSniffingEnabled</param-name>

          <param-value>false</param-value>

      </init-param>

      <async-supported>true</async-supported>

  </filter>

<!-- The mapping for the HTTP header security Filter -->

  <filter-mapping>

      <filter-name>httpHeaderSecurity</filter-name>

      <url-pattern>/*</url-pattern>

      <dispatcher>REQUEST</dispatcher>

  </filter-mapping>

What is the recommended way of adding the above equivalent settings to an embedded Tomcat instance within the Apereo CAS Server overlay template based on Maven?

Thanks.

-Mike-

[mggardiner]

UPDATE:

I have found what I was looking for.  Specifically in Spring Boot it's possible to add Servlets, Filters, and Listeners outside of the main SpringBootApplication class.  The key was ensuring the new class I was creating to add the servlerts, and listeners was in the same package (i.e. org.apereo.cas.web) where the CasWebApplication lives since it's the class that has the @SpringBootApplication.  My Filter class ended up looking something like the following:

import org.apache.catalina.filters.HttpHeaderSecurityFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.DispatcherType;


@Configuration
public class Filters {
    @Bean
    public FilterRegistrationBean httpHeaderSecurityFilter() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        HttpHeaderSecurityFilter httpHeaderSecurityFilter = new HttpHeaderSecurityFilter();

        filterRegistrationBean.setName("httpHeaderSecurity");
        filterRegistrationBean.setFilter(httpHeaderSecurityFilter);
        filterRegistrationBean.addInitParameter("hstsEnabled", "false");
        filterRegistrationBean.addInitParameter("blockContentTypeSniffingEnabled", "false");

        filterRegistrationBean.setAsyncSupported(true);
        filterRegistrationBean.setDispatcherTypes(DispatcherType.REQUEST);
        filterRegistrationBean.addUrlPatterns("/*");

        return filterRegistrationBean;
    }
}

[Martin Schalck]

Hi Mike

I think you should use the spring.factories approach instead of "polluting" the package name space.

Add a spring.factories file to a META-INF directory and add a line like this:

org.springframework.boot.autoconfigure.EnableAutoConfiguration=our.awsome.package.Filters

Br

Martin

[mggardiner]

Good idea, thanks for the recommendation Martin.

-Mike-