5 Replies Latest reply on Nov 14, 2013 5:37 AM by Tomaz Cerar

    How to set Strict-Transport-Security in HTTP-Header?

    Juergen Zimmermann Master

      How can I set the http Header "Strict-Transport-Security: max-age=<SECONDS>" in Undertow?

        • 1. Re: How to set Strict-Transport-Security in HTTP-Header?
          Tomaz Cerar Master

          Hi,

           

          We tough about that, but implementation was done 90% of the way

           

          it should be done by adding header filter to location.

          for example

           

          <subsystem xmlns="urn:jboss:domain:undertow:1.0">
                  ....
                  <server name="default-server">
                      <http-listener name="default" socket-binding="http" max-post-size="10485760"/>
                     <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content">
                              <filter-ref name="transport-security"/>
                          </location>
                      </host>
                  </server>
                  <servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only" >
                    ..
                  </servlet-container>
                  <handlers>
                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
                  </handlers>
                  <filters>
                       <response-header name="transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
                  </filters>
              </subsystem>
          

           

          I have most of the work already done just so it should be done fairly quickly.

          Could I ask you to create Jira issue so we can track this.

           

           

          --

          tomaz

          1 of 1 people found this helpful
          • 2. Re: Re: How to set Strict-Transport-Security in HTTP-Header?
            Juergen Zimmermann Master

            Tomaz, I compiled the latest WildFly snapshot, but got the following stacktrace. The JIRA issue is [WFLY-2463] Set Strict-Transport-Security in HTTP-Header - JBoss Issue Tracker

             

            ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

                at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:112) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.server.ServerService.boot(ServerService.java:331) [wildfly-server-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:255) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]

            Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[380,149]

            Message: JBAS014789: Unexpected element '{urn:jboss:domain:undertow:1.0}response-header' encountered

                at org.jboss.as.controller.parsing.ParseUtils.unexpectedElement(ParseUtils.java:85) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.controller.PersistentResourceXMLDescription.parseChildren(PersistentResourceXMLDescription.java:128) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.controller.PersistentResourceXMLDescription.parse(PersistentResourceXMLDescription.java:100) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.controller.PersistentResourceXMLDescription.parseChildren(PersistentResourceXMLDescription.java:126) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.controller.PersistentResourceXMLDescription.parse(PersistentResourceXMLDescription.java:100) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.wildfly.extension.undertow.UndertowSubsystemParser_1_0.readElement(UndertowSubsystemParser_1_0.java:218)

                at org.wildfly.extension.undertow.UndertowSubsystemParser_1_0.readElement(UndertowSubsystemParser_1_0.java:55)

                at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

                at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

                at org.jboss.as.server.parsing.StandaloneXml.parseServerProfile(StandaloneXml.java:1129) [wildfly-server-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:458) [wildfly-server-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145) [wildfly-server-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107) [wildfly-server-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

                at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

                at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:104) [wildfly-controller-8.0.0.Beta2-SNAPSHOT.jar:8.0.0.Beta2-SNAPSHOT]

                ... 3 more

            • 3. Re: Re: How to set Strict-Transport-Security in HTTP-Header?
              Tomaz Cerar Master

              yeah, for now that is only on my working branch.

               

              https://github.com/ctomc/wildfly/tree/undertow

               

              should be ready to be made into PR later today.

              1 of 1 people found this helpful
              • 4. Re: Re: How to set Strict-Transport-Security in HTTP-Header?
                Juergen Zimmermann Master

                Got it. I'll wait until the PR is merged.

                • 5. Re: How to set Strict-Transport-Security in HTTP-Header?
                  Tomaz Cerar Master

                  Hey,

                   

                  PR is now merged and should be part of next nightly build (might already be).

                   

                  I have commented on jira with example configuration.

                  you can use filter-ref on host & location, but if you want filters to be applied to deployments you need to configure them on host resource.

                   

                   

                  --

                  tomaz