3

I have SecurityConfig class and I have added code to disable headers but I want to disable the 'Allow' response header. I have tried many different ways but no luck. How to add a custom header to disable?

        @Configuration
    @Slf4j
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception
        {
            http.csrf().disable()
    
                    .authorizeRequests().anyRequest().authenticated()
                    .and()
                    .headers().xssProtection().disable()
                    .and().headers().frameOptions().disable()
                    .and().headers().contentTypeOptions().disable()
                    .and().headers().disable()
                    .httpBasic();
        
}
}

Rest Controller

{

@RequestMapping(value = Constants.API_BASE_MAPPING + Constants.API_EVENT, method = RequestMethod.OPTIONS)
public ResponseEntity<?> publishEventMessage() {
    return getResponseEntity();
}

private ResponseEntity<?> getResponseEntity() {
    return ResponseEntity
            .ok().contentType(MediaType.APPLICATION_JSON)
            .allow() // want to remove this 
            .build();
}
}

Below is the response header from my OPTIONS API call

enter image description here

Aadi
  • 1,131
  • 2
  • 16
  • 32

1 Answers1

2

If you want to set an empty Allow Header response in a particular method in your controller, you can use:

return ResponseEntity
       .ok().contentType(MediaType.APPLICATION_JSON)
       .header("Allow", "")
       .build();

Also, you can disable the OPTIONS http method for a certain path in your security configuration adding:

.antMatchers(HttpMethod.OPTIONS,"path/to/deny").denyAll()

You can't delete headers after being set. One possible solution is prevent that by creating a Filter which skips the setHeader.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
        public void setHeader(String name, String value) {
            if (!name.equalsIgnoreCase("Allow")) {
                super.setHeader(name, value);
            }
        }
    });
}

Based on this: https://stackoverflow.com/a/7895292/3713193

How to define a filter in Spring Boot: https://www.baeldung.com/spring-boot-add-filter

Antonio Vida
  • 757
  • 4
  • 16
  • I have tried this already. but it won't remove the Allow response header. it just setting empty – Aadi Oct 02 '20 at 07:51
  • @Aadi, I've just updated the answer. Try this and tell me if it is solved ;) – Antonio Vida Oct 02 '20 at 11:29
  • where I have to override this method? – Aadi Oct 02 '20 at 11:48
  • First, you need to define a custom filter and override this method. For example, create a class DisableAllowHeaderFilter that implements Filter interface. Don't forget annotate this class with @Component. You can check this tutorial about how to define a filter in Spring Boot: https://www.baeldung.com/spring-boot-add-filter – Antonio Vida Oct 02 '20 at 11:54
  • Yes found this. And I have made the changes accordingly But I saw a new response header is coming, key: Vary and value: Origin – Aadi Oct 02 '20 at 12:01
  • it's about caching. Now I am disabling the caching control – Aadi Oct 02 '20 at 12:18
  • The filter approach works fine .. :) You can update the answer. Thank you :) – Aadi Oct 02 '20 at 12:22