Author: remy.maucherat(a)jboss.com Date: 2008-08-26 19:34:00 -0400 (Tue, 26 Aug 2008) New Revision: 749 Added: trunk/java/org/apache/tomcat/util/http/TomcatCookie.java Modified: trunk/java/org/apache/catalina/connector/Request.java trunk/java/org/apache/catalina/connector/Response.java trunk/java/org/apache/tomcat/util/http/ServerCookie.java Log: - Should finish the session cookie configuration feature. Modified: trunk/java/org/apache/catalina/connector/Request.java =================================================================== --- trunk/java/org/apache/catalina/connector/Request.java 2008-08-25 11:03:17 UTC (rev 748) +++ trunk/java/org/apache/catalina/connector/Request.java 2008-08-26 23:34:00 UTC (rev 749) @@ -19,9 +19,9 @@ package org.apache.catalina.connector; -import java.io.InputStream; -import java.io.IOException; import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStream; import java.io.UnsupportedEncodingException; import java.security.Principal; import java.text.SimpleDateFormat; @@ -45,17 +45,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; -import org.apache.tomcat.util.buf.B2CConverter; -import org.apache.tomcat.util.buf.MessageBytes; -import org.apache.tomcat.util.buf.StringCache; -import org.apache.tomcat.util.http.Cookies; -import org.apache.tomcat.util.http.FastHttpDateFormat; -import org.apache.tomcat.util.http.Parameters; -import org.apache.tomcat.util.http.ServerCookie; -import org.apache.tomcat.util.http.mapper.MappingData; - -import org.apache.coyote.ActionCode; - import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Globals; @@ -71,6 +60,16 @@ import org.apache.catalina.util.RequestUtil; import org.apache.catalina.util.StringManager; import org.apache.catalina.util.StringParser; +import org.apache.coyote.ActionCode; +import org.apache.tomcat.util.buf.B2CConverter; +import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.buf.StringCache; +import org.apache.tomcat.util.http.Cookies; +import org.apache.tomcat.util.http.FastHttpDateFormat; +import org.apache.tomcat.util.http.Parameters; +import org.apache.tomcat.util.http.ServerCookie; +import org.apache.tomcat.util.http.TomcatCookie; +import org.apache.tomcat.util.http.mapper.MappingData; /** @@ -2374,7 +2373,7 @@ if ( (session != null) && (getContext() != null) && getContext().getCookies() && !(isRequestedSessionIdFromCookie() && (session.getIdInternal().equals(getRequestedSessionId()))) ) { - Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, + TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME, session.getIdInternal()); configureSessionCookie(cookie); response.addCookieInternal(cookie); @@ -2394,7 +2393,7 @@ * * @param cookie The JSESSIONID cookie to be configured */ - protected void configureSessionCookie(Cookie cookie) { + protected void configureSessionCookie(TomcatCookie cookie) { cookie.setMaxAge(-1); if (context.getSessionCookie().getPath() != null) { cookie.setPath(context.getSessionCookie().getPath()); @@ -2412,7 +2411,7 @@ cookie.setDomain(context.getSessionCookie().getDomain()); } if (context.getSessionCookie().isHttpOnly()) { - // FIXME: in Servlet 3.0 + cookie.setHttpOnly(true); } if (context.getSessionCookie().isSecure()) { cookie.setSecure(true); Modified: trunk/java/org/apache/catalina/connector/Response.java =================================================================== --- trunk/java/org/apache/catalina/connector/Response.java 2008-08-25 11:03:17 UTC (rev 748) +++ trunk/java/org/apache/catalina/connector/Response.java 2008-08-26 23:34:00 UTC (rev 749) @@ -51,6 +51,7 @@ import org.apache.tomcat.util.http.FastHttpDateFormat; import org.apache.tomcat.util.http.MimeHeaders; import org.apache.tomcat.util.http.ServerCookie; +import org.apache.tomcat.util.http.TomcatCookie; import org.apache.tomcat.util.net.URL; /** @@ -976,7 +977,7 @@ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), false); return null; } }); @@ -984,7 +985,7 @@ ServerCookie.appendCookieValue (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), false); } // if we reached here, no exception, cookie is valid // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) @@ -997,6 +998,47 @@ /** + * Add the specified Cookie to those that will be included with + * this Response. + * + * @param cookie Cookie to be added + */ + public void addCookieInternal(final TomcatCookie cookie) { + + if (isCommitted()) + return; + + final StringBuffer sb = new StringBuffer(); + // web application code can receive a IllegalArgumentException + // from the appendCookieValue invocation + if (SecurityUtil.isPackageProtectionEnabled()) { + AccessController.doPrivileged(new PrivilegedAction() { + public Object run(){ + ServerCookie.appendCookieValue + (sb, cookie.getVersion(), cookie.getName(), + cookie.getValue(), cookie.getPath(), + cookie.getDomain(), cookie.getComment(), + cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly()); + return null; + } + }); + } else { + ServerCookie.appendCookieValue + (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), + cookie.getPath(), cookie.getDomain(), cookie.getComment(), + cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly()); + } + // if we reached here, no exception, cookie is valid + // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) + // RFC2965 is not supported by browsers and the Servlet spec + // asks for 2109. + addHeader("Set-Cookie", sb.toString()); + + cookies.add(cookie); + } + + + /** * Add the specified date header to the specified value. * * @param name Name of the header to set Modified: trunk/java/org/apache/tomcat/util/http/ServerCookie.java =================================================================== --- trunk/java/org/apache/tomcat/util/http/ServerCookie.java 2008-08-25 11:03:17 UTC (rev 748) +++ trunk/java/org/apache/tomcat/util/http/ServerCookie.java 2008-08-26 23:34:00 UTC (rev 749) @@ -257,7 +257,8 @@ String domain, String comment, int maxAge, - boolean isSecure ) + boolean isSecure, + boolean httpOnly) { StringBuffer buf = new StringBuffer(); // Servlet implementation checks name @@ -318,9 +319,14 @@ // Secure if (isSecure) { - buf.append ("; Secure"); + buf.append ("; Secure"); } + // HttpOnly + if (httpOnly) { + buf.append ("; HttpOnly"); + } + headerBuf.append(buf); } Added: trunk/java/org/apache/tomcat/util/http/TomcatCookie.java =================================================================== --- trunk/java/org/apache/tomcat/util/http/TomcatCookie.java (rev 0) +++ trunk/java/org/apache/tomcat/util/http/TomcatCookie.java 2008-08-26 23:34:00 UTC (rev 749) @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.tomcat.util.http; + +import javax.servlet.http.Cookie; + +public class TomcatCookie extends Cookie { + + boolean httpOnly = false; + + public TomcatCookie(String name, String value) { + super(name, value); + } + + public boolean getHttpOnly() { + return httpOnly; + } + + public void setHttpOnly(boolean httpOnly) { + this.httpOnly = httpOnly; + } + +}