Versions Compared

Old Version 1

changes.mady.by.user Jeff Huang

Saved on

compared with

New Version 2

changes.mady.by.user Jeff Huang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.

Status

Current state[One of "Under Discussion", "Accepted", "Rejected"]

...

We will add a new property "response.http.headers" to allow REST server administrator to configure headers based on their security policies. We borrow and take advantage of Jetty HeaderFilter class and use same format of headerConfig init param. The format for response.http.headers will be "[[action] [header]:[header value],..." which is a list of [action] [header]:[value] separated by comma ",". So it is a CSV of actions to perform on headers with the following syntax:
[action] [header name]: [header value],
[action] can be one of "set, add, setDate, or addDate" which specify an action will perform on header. 

  • set action is same as setHeader function in HttpServletResponse, it will set a response header with the given name and value. If the header had already been set, the new value overwrites the previous one.
  • add action is same as addHeader function in HttpServletResponse, it will add a new value to the header. Responses headers could have multiple values.
  • setDate action is same as setDateHeader function in HttpServletResponse. It will set HTTP header need date value. Such as "setDate Expires: 31540000000" which indicates the header will be expired approximately one year in the future.
  • addDate action is same as addDateHeader function in HttpServletResponse.  It will add a response header with the given name and date-value. Such as "addDate Last-Modified: 0" which indicates the Last-Modified date is same as current system date.

[header name] specify name of header.
[header value] specify value for the header. We need put double quotes around the value if the value contains commas due to we use comma as separator for different headers. 

Example of configuration for response.http.headers

response.http.headers=set X-Frame-Options: DENY, "add Cache-Control: no-cache, no-store, must-revalidate", setDate Expires: 31540000000, addDate Last-Modified: 0

Implementation

Implementation will use Jetty HeaderFilter class. During initializing process Connect REST server will read header configuration from the property response.http.headers, then create a FilterHoder with HeaderFilter class and add the filter holder to Servlet context handler

Pseudocode

ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
String responseHeaders = config.getString("response.http.headers");
FilterHolder headersFilterHolder = new FilterHolder(HeaderFilter.class);
headersFilterHolder.setName("headerConfig");
headersFilterHolder.setInitParameter("headerConfig", responseHeaders);
context.addFilter(headersFilterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));

References

...