7

Do you know if there is a standard way to configure the Http Headers that JBoss EAP 7 sends to the client? I am mainly interested in being able to configure the following ones:

  • X-XSS-Protection
  • X-Frame-Options
  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Content-Type-Options

I found this link on the internet

https://blog.akquinet.de/2017/08/03/wildfly-8-10-and-jboss-eap-7-verbose-http-headers/

but I am not sure whether I can use it for the headers I am interested in.

Thank you!

James R. Perkins
  • 16,800
  • 44
  • 60
Alex Mi
  • 1,409
  • 2
  • 21
  • 35
  • why not try it out? I see no reason why it wouldn't work, if you have eap-wide headers. – eis Feb 06 '18 at 14:08

2 Answers2

12

As per the JBoss EAP 7 documentation:

Previous releases of JBoss EAP supported valves. Valves are custom classes inserted into the request processing pipeline for an application before servlet filters to make changes to the request or perform additional processing. Global valves are inserted into the request processing pipeline of all deployed applications. Authenticator valves authenticate the credentials of the request. Valves were created by extending the org.apache.catalina.valves.ValveBase class and configured in the element of the jboss-web.xml descriptor file.

Undertow, which replaces JBoss Web in JBoss EAP 7, does not support valves; however, you should be able to achieve similar functionality by using Undertow handlers. Undertow includes a number of built-in handlers that provide common functionality. It also provides the ability to create custom handlers, which can be used to replace custom valve functionality.

You can still go this route for complex situations however now in utilizing Undertow add response headers been simplified as you can just add custom headers to the JBoss Undertow Subsystem, you're filters section will change from this:

<filters>
    <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>


To this:

<filters>
    <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
    <!-- Begin custom Headers -->
    <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value=""/>
    <response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
    <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value=""/>
    <response-header name="content-security-policy" header-name="Content-Security-Policy" header-value=""/>
    <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value=""/>
</filters>

I'll leave it up to everyone else to determine the values they'd like to place for the headers (save some editing during copy/paste)

JGlass
  • 1,427
  • 2
  • 12
  • 26
  • could you give me an example of how can I set these headers globally using a custom valve jar? – Alex Mi Feb 06 '18 at 14:15
  • Let me dig around a bit to find you something. – JGlass Feb 06 '18 at 15:09
  • I'm updating the answer, JBoss EAP 7 now uses Undertow instead of JBoss WEB and Tomcat so it no longer supports Valves – JGlass Feb 06 '18 at 16:21
  • And, mmmaaann - I thought I was going to have to find some code for a custom handler for you, which I did [Configuring a Custom Undertow Filter in WildFly](https://kb.novaordis.com/index.php/Configuring_a_Custom_Undertow_Filter_in_WildFly) which also lists how to add its a module and then use [this](https://developer.jboss.org/message/959157#959157) for the subsystem configuration. But I just found an easier way that should make you way more happier as its less complicated, few moments I'll post it. If it helps, please feel free to accept my answer and let me know! – JGlass Feb 06 '18 at 16:37
  • @AlexMi - did you get to try it out? – JGlass Feb 07 '18 at 13:21
  • thank you for your efforts! Actually, I have forwarded it to our IT Architects – Alex Mi Feb 07 '18 at 14:53
  • Awesome, if it helps - please feel free to accept the answer! It looks like it should work - if it doesnt, let me know and I can look into it a bit more! – JGlass Feb 07 '18 at 15:14
  • Hello JGLass, how can I accept your answer, please? – Alex Mi Feb 08 '18 at 06:14
  • Right under the "1", with the up and down arrows, theres a greyed out checkbox, check it and this accepts the answer and shows a green checkbox ;-) It's also good practice to even accept your own answers on old questions you had that you solved yourself as then the question will not show as unanswered. – JGlass Feb 08 '18 at 13:37
3

Look the link of Jboss EAP 7: Configuring Filters

Open your standalone.xml in the directory JBoss EAP 7 and search "urn:jboss:domain:undertow" in this xml, then add your custom filter rules like:

<filters>
  <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
  <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
  <!--your custom rules in detail-->
  <response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
</filters>

Don't forget to add <filter-ref name="x-frame-options"/> in 

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <filter-ref name="server-header"/>
                <filter-ref name="x-powered-by-header"/>
                <!--declare your custom rules here-->
                <filter-ref name="x-frame-options"/>
                <single-sign-on http-only="true" secure="true"/>
                <http-invoker security-realm="ApplicationRealm"/>
 </host>
</subsystem>
zichen.L
  • 364
  • 3
  • 7