ATLAS-3490: Added headers in atlas api

webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java

@@ -333,10 +333,10 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
             HttpServletResponse         httpResponse    = (HttpServletResponse) response;
             AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
 
-            responseWrapper.setHeader("X-Frame-Options", "DENY");
-            responseWrapper.setHeader("X-Content-Type-Options", "nosniff");
-            responseWrapper.setHeader("X-XSS-Protection", "1; mode=block");
-            responseWrapper.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+            HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
+            HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY);
+            HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_XSS_PROTECTION_KEY);
+            HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.STRICT_TRANSPORT_SEC_KEY);
 
             if (headerProperties != null) {
                 for (String headerKey : headerProperties.stringPropertyNames()) {

webapp/src/main/java/org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.java

@@ -184,7 +184,7 @@ public class AtlasCSRFPreventionFilter implements Filter {
         final HttpServletRequest httpRequest = (HttpServletRequest) request;
         final HttpServletResponse httpResponse = (HttpServletResponse) response;
         AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
-        responseWrapper.setHeader("X-Frame-Options", "DENY");
+		HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
 
         if (isCSRF_ENABLED){
             handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain));

webapp/src/main/java/org/apache/atlas/web/filters/AtlasHeaderFilter.java

+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.web.filters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AtlasHeaderFilter implements Filter {
+    private static final Logger LOG = LoggerFactory.getLogger(AtlasHeaderFilter.class);
+
+    @Override
+    public void init(FilterConfig filterConfig) {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
+            throws IOException, ServletException {
+        setHeaders((HttpServletResponse) response);
+        filterChain.doFilter(request, response);
+    }
+
+    public void setHeaders(HttpServletResponse httpResponse) {
+        AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
+        HeadersUtil.setSecurityHeaders(responseWrapper);
+    }
+
+    @Override
+    public void destroy() {
+    }
+}

webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java

@@ -28,7 +28,6 @@ import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jwt.SignedJWT;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.security.AtlasAuthenticationProvider;
-import org.apache.atlas.web.util.Servlets;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.client.utils.URIBuilder;
@@ -50,7 +49,6 @@ import javax.servlet.*;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.UriBuilder;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
@@ -67,7 +65,6 @@ import java.util.List;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Enumeration;
-import org.apache.commons.lang.StringUtils;
 
 
 @Component("ssoAuthenticationFilter")
@@ -136,11 +133,10 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
         HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
 
         AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
-        responseWrapper.setHeader("X-Frame-Options", "DENY");
-        responseWrapper.setHeader("X-Content-Type-Options", "nosniff");
-        responseWrapper.setHeader("X-XSS-Protection", "1; mode=block");
-        responseWrapper.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-
+        HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
+        HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY);
+        HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_XSS_PROTECTION_KEY);
+        HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.STRICT_TRANSPORT_SEC_KEY);
 
         if (!ssoEnabled) {
             filterChain.doFilter(servletRequest, servletResponse);

webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java

+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.web.filters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+public class HeadersUtil {
+
+    private static final Logger LOG = LoggerFactory.getLogger(HeadersUtil.class);
+
+    public static final Map<String, String> headerMap = new HashMap<>();
+
+
+    public static final String X_FRAME_OPTIONS_KEY = "X-Frame-Options";
+    public static final String X_CONTENT_TYPE_OPTIONS_KEY = "X-Content-Type-Options";
+    public static final String X_XSS_PROTECTION_KEY = "X-XSS-Protection";
+    public static final String STRICT_TRANSPORT_SEC_KEY = "Strict-Transport-Security";
+    public static final String CONTENT_SEC_POLICY_KEY = "Content-Security-Policy";
+    public static final String SERVER_KEY = "Server";
+
+    public static final String X_FRAME_OPTIONS_VAL = "DENY";
+    public static final String X_CONTENT_TYPE_OPTIONS_VAL = "nosniff";
+    public static final String X_XSS_PROTECTION_VAL = "1; mode=block";
+    public static final String STRICT_TRANSPORT_SEC_VAL = "max-age=31536000; includeSubDomains";
+    public static final String CONTENT_SEC_POLICY_VAL = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:";
+    public static final String SERVER_VAL = "Apache Atlas";
+
+    HeadersUtil() {
+        headerMap.put(X_FRAME_OPTIONS_KEY, X_FRAME_OPTIONS_VAL);
+        headerMap.put(X_CONTENT_TYPE_OPTIONS_KEY, X_CONTENT_TYPE_OPTIONS_VAL);
+        headerMap.put(X_XSS_PROTECTION_KEY, X_XSS_PROTECTION_VAL);
+        headerMap.put(STRICT_TRANSPORT_SEC_KEY, STRICT_TRANSPORT_SEC_VAL);
+        headerMap.put(CONTENT_SEC_POLICY_KEY, CONTENT_SEC_POLICY_VAL);
+        headerMap.put(SERVER_KEY, SERVER_VAL);
+    }
+
+    public static void setHeaderMapAttributes(AtlasResponseRequestWrapper responseWrapper, String headerKey) {
+        responseWrapper.setHeader(headerKey, headerMap.get(headerKey));
+
+    }
+
+    public static void setSecurityHeaders(AtlasResponseRequestWrapper responseWrapper) {
+        for (Map.Entry<String, String> entry : headerMap.entrySet()) {
+            responseWrapper.setHeader(entry.getKey(), entry.getValue());
+        }
+    }
+}

webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java

@@ -17,12 +17,7 @@
  */
 package org.apache.atlas.web.security;
 
-import org.apache.atlas.web.filters.ActiveServerFilter;
-import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
-import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
-import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
-import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
-import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
+import org.apache.atlas.web.filters.*;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.lang.StringUtils;
 import org.keycloak.adapters.AdapterDeploymentContext;
@@ -33,9 +28,7 @@ import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean;
 import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
-import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
-import org.keycloak.adapters.springsecurity.config.KeycloakSpringConfigResolverWrapper;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
@@ -192,8 +185,8 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
                 .authorizeRequests().anyRequest().authenticated()
                 .and()
                     .headers()
-                        .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:"))
-                        .addHeaderWriter(new StaticHeadersWriter("Server","Apache Atlas"))
+                .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.headerMap.get(HeadersUtil.CONTENT_SEC_POLICY_KEY)))
+                .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.SERVER_KEY, HeadersUtil.headerMap.get(HeadersUtil.SERVER_KEY)))
                         .and()
                     .servletApi()
                 .and()

webapp/src/main/webapp/WEB-INF/web.xml

@@ -81,6 +81,21 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
+    <filter>
+        <filter-name>HeaderFilter</filter-name>
+        <filter-class>org.apache.atlas.web.filters.AtlasHeaderFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HeaderFilter</filter-name>
+        <url-pattern>/api/atlas/admin/metrics</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>HeaderFilter</filter-name>
+        <url-pattern>/api/atlas/admin/status</url-pattern>
+    </filter-mapping>
+
     <listener>
         <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
     </listener>