add config option to not ignore security headers (#1354)

* add config option to not ignore security headers * fix field documentation of ignoreSecurityHeaders * add documenation for zuul.ignoreSecurityHeaders fixes gh-1096

add config option to not ignore security headers (#1354)
e109093b · Mathias Düsterhöft · Spencer Gibb · 4ba34112 · e109093b · e109093b
Commit e109093b authored Oct 04, 2016 by Mathias Düsterhöft Committed by Spencer Gibb Oct 03, 2016
3 changed files
--- a/docs/src/main/asciidoc/spring-cloud-netflix.adoc
+++ b/docs/src/main/asciidoc/spring-cloud-netflix.adoc
@@ -1413,6 +1413,8 @@ need to set it unless you want it to be different. N.B. this is new in
 Spring Cloud Netflix 1.1 (in 1.0 the user had no control over headers
 and all cookies flow in both directions).
+=== Ignored Headers
 In addition to the per-route sensitive headers, you can set a global
 value for `zuul.ignoredHeaders` for values that should be discarded
 (both request and response) during interactions with downstream
@@ -1421,6 +1423,7 @@ classpath, and otherwise they are initialized to a set of well-known
 "security" headers (e.g. involving caching) as specified by Spring
 Security. The assumption in this case is that the downstream services
 might add these headers too, and we want the values from the proxy.
+To not discard these well known security headers in case Spring Security is on the classpath you can set `zuul.ignoreSecurityHeaders` to `false`. This can be useful if you disabled the HTTP Security response headers in Spring Security and want the values provided by downstream services
 === The Routes Endpoint

--- a/spring-cloud-netflix-core/src/main/java/org/springframework/cloud/netflix/zuul/filters/ZuulProperties.java
+++ b/spring-cloud-netflix-core/src/main/java/org/springframework/cloud/netflix/zuul/filters/ZuulProperties.java
@@ -42,6 +42,7 @@ import static com.netflix.hystrix.HystrixCommandProperties.ExecutionIsolationStr
 /**
 * @author Spencer Gibb
 * @author Dave Syer
+ * @author Mathias Düsterhöft
 */
 @Data
 @ConfigurationProperties("zuul")
@@ -50,7 +51,7 @@ public class ZuulProperties {
 	/**
 	 * Headers that are generally expected to be added by Spring Security, and hence often
 	 * duplicated if the proxy and the backend are secured with Spring. By default they
-	 * are added to the ignored headers if Spring Security is present.
+	 * are added to the ignored headers if Spring Security is present and ignoreSecurityHeaders = true.
 	 */
 	public static final List<String> SECURITY_HEADERS = Arrays.asList("Pragma",
 			"Cache-Control", "X-Frame-Options", "X-Content-Type-Options",
@@ -102,6 +103,14 @@ public class ZuulProperties {
 	private Set<String> ignoredHeaders = new LinkedHashSet<>();
 	/**
+	 * SECURITY_HEADERS are added to ignored headers if spring security is on the classpath and ignoreSecurityHeaders = true
+	 * By setting ignoreSecurityHeaders to false we can switch off this default behaviour. This should be used together with
+	 * disabling the default spring security headers
+	 * see https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#default-security-headers
+	 */
+	private boolean ignoreSecurityHeaders = true;
+	/**
 	 * Path to install Zuul as a servlet (not part of Spring MVC). The servlet is more
 	 * memory efficient for requests with large bodies, e.g. file uploads.
 	 */
@@ -148,7 +157,7 @@ public class ZuulProperties {
 		Set<String> ignoredHeaders = new LinkedHashSet<>(this.ignoredHeaders);
 		if (ClassUtils.isPresent(
 				"org.springframework.security.config.annotation.web.WebSecurityConfigurer",
-				null) && Collections.disjoint(ignoredHeaders, SECURITY_HEADERS)) {
+				null) && Collections.disjoint(ignoredHeaders, SECURITY_HEADERS) && ignoreSecurityHeaders) {
 			// Allow Spring Security in the gateway to control these headers
 			ignoredHeaders.addAll(SECURITY_HEADERS);
 		}

--- a/spring-cloud-netflix-core/src/test/java/org/springframework/cloud/netflix/zuul/filters/ZuulPropertiesTests.java
+++ b/spring-cloud-netflix-core/src/test/java/org/springframework/cloud/netflix/zuul/filters/ZuulPropertiesTests.java
@@ -29,6 +29,7 @@ import static org.junit.Assert.assertTrue;
 /**
 * @author Dave Syer
+ * @author Mathias Düsterhöft
 */
 public class ZuulPropertiesTests {
@@ -46,11 +47,19 @@ public class ZuulPropertiesTests {
 	@Test
 	public void defaultIgnoredHeaders() {
+		assertTrue(this.zuul.isIgnoreSecurityHeaders());
 		assertTrue(this.zuul.getIgnoredHeaders()
 				.containsAll(ZuulProperties.SECURITY_HEADERS));
 	}
 	@Test
+	public void securityHeadersNotIgnored() {
+		zuul.setIgnoreSecurityHeaders(false);
+		assertTrue(this.zuul.getIgnoredHeaders().isEmpty());
+	}
+	@Test
 	public void addIgnoredHeaders() {
 		this.zuul.setIgnoredHeaders(Collections.singleton("x-foo"));
 		assertTrue(this.zuul.getIgnoredHeaders().contains("x-foo"));