Skip to content
This repository has been archived by the owner on Sep 13, 2020. It is now read-only.

Commit

Permalink
Advanced security configurations + content expiration exception
Browse files Browse the repository at this point in the history
  • Loading branch information
@emjunior258
emjunior258 committed Sep 29, 2019
1 parent 5ee3d19 commit f6af0d6
Show file tree
Hide file tree
Showing 28 changed files with 979 additions and 145 deletions.
100 changes: 88 additions & 12 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,102 @@ It's a light Java Framework that allows developers to write fully Ajax web appli
# Need some guidance?
Please read the documentation at [https://docs.hi-framework.org/1.1.0/getting-started/](https://docs.hi-framework.org/1.1.0/getting-started/index.html "Hi-Framework docs")

# 1.5.0 Changes
* Redirect API Introduced
# 1.6.0 Changes
* New Security Configurations Introduced
* Content Expiration exception introduced

## Redirect API Usage example
See the code snippet below:
```java

## Content expiration event
See snippet below:

```javascript

Hi.template({

...

$frontiers:{

...

//Handle content expiration exception
expired : function(call){
alert("Content expired");
}

...

}

...

});


```


## Security configurations

### Frontiers security configurations
See the __Hi.xml__ snippet below:
```xml

...

@Inject
RequestContext context;
<frontiers>
<default-timeout>1600</default-timeout>
<security>
<cross-site-request-forgery>
<token>
<jwt-algorithm>HS512</jwt-algorithm>
<jwt-passphrase>4d1138af-18da-43fc-b4f5-e4bbebbc13d1</jwt-passphrase>
<secure-random-size>25</secure-random-size>
</token>
<cookie>
<secure>false</secure>
<http-only>true</http-only>
</cookie>
</cross-site-request-forgery>
</security>
</frontiers>

...

```

### General security configurations
See the __Hi.xml__ snippet below:
```xml

public void whatever(){

context.sendRedirect("people/list");

}
...

<security>
<content-security-policy>
<deny-iframe-embedding>true</deny-iframe-embedding>
<block-mixed-content>false</block-mixed-content>
<policy-allow>
<navigation to="http://myserver.com http://anotherserver.com *.facebook.com"/>
<!--default-src-->
<content from="'self'">
<!--img-src-->
<images from="'self' *.myserver.com"/>
<!--script-src-->
<scripts from="'self' *.myserver.com 'unsafe-inline' https://cdnjs.com"/>
<!--style-src-->
<styles from="'self' 'unsafe-inline'"/>
</content>
</policy-allow>
</content-security-policy>
</security>

...

```






The API will perform the redirect regardless of being invoked in the middle of an AJAX Request.
2 changes: 1 addition & 1 deletion Resources/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

<groupId>org.emerjoin</groupId>
<artifactId>Hi-Framework-Resources</artifactId>
<version>1.5.0</version>
<version>1.6.0</version>
<packaging>jar</packaging>

</project>
144 changes: 129 additions & 15 deletions Resources/src/main/resources/META-INF/resources/hi-config.xsd
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://hi-framework.org/XML/1.1.0"
xmlns:hi="http://hi-framework.org/XML/1.1.0" elementFormDefault="qualified">
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://hi-framework.org/XML/1.6.0"
xmlns:hi="http://hi-framework.org/XML/1.6.0" elementFormDefault="qualified">

<xsd:simpleType name="StringWithAtLeast2Letters">
<xsd:restriction base="xsd:string">
<xsd:minLength value="2"></xsd:minLength>
</xsd:restriction>
</xsd:simpleType>

<xsd:simpleType name="StringWithAtLeast1Letter">
<xsd:restriction base="xsd:string">
<xsd:minLength value="1"></xsd:minLength>
</xsd:restriction>
</xsd:simpleType>

<xsd:complexType name="i18nLanguageType">
<xsd:simpleContent>
<xsd:extension base="hi:StringWithAtLeast2Letters">
Expand Down Expand Up @@ -40,18 +46,12 @@
</xsd:all>
</xsd:complexType>

<xsd:simpleType name="timeoutValue">
<xsd:restriction base="xsd:long">
<xsd:minInclusive value="1"></xsd:minInclusive>
</xsd:restriction>
</xsd:simpleType>

<xsd:complexType name="webType">
<xsd:all maxOccurs="1" minOccurs="1">
<xsd:element type="xsd:string" name="views-directory" nillable="false" minOccurs="0" maxOccurs="1"/>
<xsd:element type="xsd:string" name="welcome-url" nillable="false" minOccurs="0" maxOccurs="1"/>
<xsd:element type="hi:templatesType" name="templates" nillable="false" minOccurs="0" maxOccurs="1"/>
<xsd:element type="hi:timeoutValue" name="default-frontiers-timeout" minOccurs="0" maxOccurs="1"/>
<xsd:element type="xsd:string" name="base-url" minOccurs="0"/>
</xsd:all>
</xsd:complexType>
Expand All @@ -64,9 +64,121 @@
</xsd:sequence>
</xsd:complexType>

<xsd:complexType name="frontiersType">

<xsd:complexType name="frontiersConfig">
<xsd:sequence>
<xsd:element minOccurs="1" maxOccurs="unbounded" name="frontier" type="xsd:string"></xsd:element>
<xsd:element name="default-timeout" minOccurs="0">
<xsd:simpleType>
<xsd:restriction base="xsd:long">
<xsd:minInclusive value="1"></xsd:minInclusive>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<xsd:element name="security" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="cross-site-request-forgery" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="token" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="jwt-algorithm">
<xsd:simpleType>
<xsd:restriction base="xsd:string">
<xsd:enumeration value="HS256"/>
<xsd:enumeration value="HS384"/>
<xsd:enumeration value="HS512"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
<xsd:element name="jwt-passphrase" type="hi:StringWithAtLeast2Letters"/>
<xsd:element name="secure-random-size">
<xsd:simpleType>
<xsd:restriction base="xsd:int">
<xsd:minExclusive value="23"/>
<xsd:maxExclusive value="1025"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="cookie" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="secure" type="xsd:boolean"/>
<xsd:element name="http-only" type="xsd:boolean"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>

<xsd:complexType name="securityConfig">
<xsd:sequence>
<xsd:element name="content-security-policy">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="reporting-url" type="hi:StringWithAtLeast2Letters" minOccurs="0"/>
<xsd:element name="deny-iframe-embedding" type="xsd:boolean"/>
<xsd:element name="block-mixed-content" type="xsd:boolean"/>
<xsd:element name="policy-allow" minOccurs="0">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="navigation">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="form-action" type="hi:StringWithAtLeast1Letter" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="to" type="hi:StringWithAtLeast1Letter"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="content">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="images" minOccurs="0">
<xsd:complexType>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter" use="required"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="scripts" minOccurs="0">
<xsd:complexType>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter" use="required"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="styles" minOccurs="0">
<xsd:complexType>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter" use="required"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="media" minOccurs="0">
<xsd:complexType>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter" use="required"/>
</xsd:complexType>
</xsd:element>
<xsd:element name="objects" minOccurs="0">
<xsd:complexType>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter" use="required"/>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
<xsd:attribute name="from" type="hi:StringWithAtLeast1Letter"/>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>

</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>

Expand Down Expand Up @@ -195,11 +307,13 @@

<xsd:complexType name="appType">
<xsd:all>
<xsd:element type="xsd:string" name="default-lang" nillable="false" maxOccurs="1" minOccurs="0"></xsd:element>
<xsd:element type="hi:appModeType" name="deployment-mode" nillable="false" maxOccurs="1" minOccurs="0" ></xsd:element>
<xsd:element type="hi:webType" name="web" minOccurs="0" nillable="false" maxOccurs="1"></xsd:element>
<xsd:element type="hi:i18nType" name="i18n" minOccurs="0" maxOccurs="1" nillable="false"></xsd:element>
<xsd:element type="hi:tunningType" name="web-tuning" nillable="false" minOccurs="0" maxOccurs="1"></xsd:element>
<xsd:element type="xsd:string" name="default-lang" nillable="false" maxOccurs="1" minOccurs="0"/>
<xsd:element type="hi:appModeType" name="deployment-mode" nillable="false" maxOccurs="1" minOccurs="0"/>
<xsd:element type="hi:frontiersConfig" name="frontiers" minOccurs="0" nillable="false" maxOccurs="1"/>
<xsd:element type="hi:webType" name="web" minOccurs="0" nillable="false" maxOccurs="1"/>
<xsd:element type="hi:securityConfig" name="security" minOccurs="0" nillable="false" maxOccurs="1"/>
<xsd:element type="hi:i18nType" name="i18n" minOccurs="0" maxOccurs="1" nillable="false"/>
<xsd:element type="hi:tunningType" name="web-tuning" nillable="false" minOccurs="0" maxOccurs="1"/>
</xsd:all>
</xsd:complexType>

Expand Down
21 changes: 19 additions & 2 deletions Resources/src/main/resources/META-INF/resources/hi.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2383,7 +2383,6 @@ Hi.$frontiers.Promise = function(){

var request = undefined;


var getGlobalHandler = function(name){

if(__.hasOwnProperty("$frontiers")) {
Expand Down Expand Up @@ -2496,6 +2495,21 @@ Hi.$frontiers.Promise = function(){

};

this._setExpired = function(){

var gExpiredHandler = getGlobalHandler("expired");
var gErrorHandler = getGlobalHandler("catch");

if(typeof gExpiredHandler=="function"){
gExpiredHandler.call(getGlobalHandlers(),this);
}else if(typeof gErrorHandler=="function"){
gErrorHandler.call(getGlobalHandlers(),419);
}

this._setRequestFinished();

};

this._setForbidden = function(){

var gForbiddenHandler = getGlobalHandler("forbidden");
Expand Down Expand Up @@ -3050,6 +3064,9 @@ var fMx = function(params,$functionUrl,_$tout,_$fmut,_$si,_$si_method,_$abpon,fa
case 408:
promisse._setTimedOut();
break;
case 419:
promisse._setExpired();
break;
case 421:
promisse._setInterrupted();
break;
Expand All @@ -3070,7 +3087,7 @@ var fMx = function(params,$functionUrl,_$tout,_$fmut,_$si,_$si_method,_$abpon,fa

ajaxParams.method = "POST";
ajaxParams.url = $functionUrl;
ajaxParams.headers = {csrfToken: App.csrfToken};
//ajaxParams.headers = {csrfToken: App.csrfToken};
ajaxParams.dataType = "json";
ajaxParams.cache = false;
ajaxParams.timeout = _$tout;
Expand Down
2 changes: 1 addition & 1 deletion Resources/src/main/resources/META-INF/resources/hi.min.js
View file

Large diffs are not rendered by default.

13 changes: 10 additions & 3 deletions Web/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>org.emerjoin</groupId>
<artifactId>Hi-Framework</artifactId>
<version>1.5.0</version>
<version>1.6.0</version>
<packaging>jar</packaging>

<build>
Expand All @@ -31,7 +31,7 @@
<dependency>
<groupId>org.emerjoin</groupId>
<artifactId>Hi-Framework-Resources</artifactId>
<version>1.5.0</version>
<version>1.6.0</version>
<scope>compile</scope>
<optional>false</optional>
</dependency>
Expand Down Expand Up @@ -109,7 +109,7 @@
<dependency>
<groupId>org.emerjoin</groupId>
<artifactId>XMLEasy</artifactId>
<version>1.1.0</version>
<version>2.0.0</version>
</dependency>

<dependency>
Expand All @@ -118,6 +118,13 @@
<version>1.1.0</version>
</dependency>

<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>


</dependencies>

<repositories>
Expand Down
Loading

0 comments on commit f6af0d6

Please sign in to comment.