Author: mmillson Date: 2010-08-04 13:20:15 -0400 (Wed, 04 Aug 2010) New Revision: 1515 Added: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java Log: Add HttpOnly Cookie support for [JBPAPP-4794]. Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -30,6 +30,7 @@ import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.deploy.NamingResources; import org.apache.catalina.deploy.SecurityConstraint; +import org.apache.catalina.deploy.SessionCookie; import org.apache.catalina.util.CharsetMapper; @@ -173,8 +174,21 @@ */ public boolean getCookies(); + /** + * Set the session cookie configuration. + * + * @param sessionCookie The new value + */ + public void setSessionCookie(SessionCookie sessionCookie); + /** + * Return the session cookie configuration. + */ + public SessionCookie getSessionCookie(); + + + /** * Set the "use cookies for session ids" flag. * * @param cookies The new flag Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -52,6 +52,7 @@ import org.apache.tomcat.util.http.FastHttpDateFormat; import org.apache.tomcat.util.http.Parameters; import org.apache.tomcat.util.http.ServerCookie; +import org.apache.tomcat.util.http.TomcatCookie; import org.apache.tomcat.util.http.mapper.MappingData; import org.apache.coyote.ActionCode; @@ -2296,7 +2297,7 @@ // Creating a new session cookie based on that session if ((session != null) && (getContext() != null) && getContext().getCookies()) { - Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, + TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME, session.getIdInternal()); configureSessionCookie(cookie); response.addCookieInternal(cookie); @@ -2316,7 +2317,7 @@ * * @param cookie The JSESSIONID cookie to be configured */ - protected void configureSessionCookie(Cookie cookie) { + protected void configureSessionCookie(TomcatCookie cookie) { cookie.setMaxAge(-1); String contextPath = null; if (!connector.getEmptySessionPath() && (getContext() != null)) { @@ -2327,6 +2328,9 @@ } else { cookie.setPath("/"); } + if (context.getSessionCookie().isHttpOnly()) { + cookie.setHttpOnly(true); + } if (isSecure()) { cookie.setSecure(true); } Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -51,6 +51,7 @@ import org.apache.tomcat.util.http.FastHttpDateFormat; import org.apache.tomcat.util.http.MimeHeaders; import org.apache.tomcat.util.http.ServerCookie; +import org.apache.tomcat.util.http.TomcatCookie; import org.apache.tomcat.util.net.URL; /** @@ -962,7 +963,7 @@ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), false); return null; } }); @@ -970,7 +971,7 @@ ServerCookie.appendCookieValue (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), false); } // if we reached here, no exception, cookie is valid // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) @@ -983,6 +984,47 @@ /** + * Add the specified Cookie to those that will be included with + * this Response. + * + * @param cookie Cookie to be added + */ + public void addCookieInternal(final TomcatCookie cookie) { + + if (isCommitted()) + return; + + final StringBuffer sb = new StringBuffer(); + // web application code can receive a IllegalArgumentException + // from the appendCookieValue invocation + if (SecurityUtil.isPackageProtectionEnabled()) { + AccessController.doPrivileged(new PrivilegedAction() { + public Object run(){ + ServerCookie.appendCookieValue + (sb, cookie.getVersion(), cookie.getName(), + cookie.getValue(), cookie.getPath(), + cookie.getDomain(), cookie.getComment(), + cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly()); + return null; + } + }); + } else { + ServerCookie.appendCookieValue + (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), + cookie.getPath(), cookie.getDomain(), cookie.getComment(), + cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly()); + } + // if we reached here, no exception, cookie is valid + // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) + // RFC2965 is not supported by browsers and the Servlet spec + // asks for 2109. + addHeader("Set-Cookie", sb.toString()); + + cookies.add(cookie); + } + + + /** * Add the specified date header to the specified value. * * @param name Name of the header to set Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -83,6 +83,7 @@ import org.apache.catalina.deploy.NamingResources; import org.apache.catalina.deploy.SecurityCollection; import org.apache.catalina.deploy.SecurityConstraint; +import org.apache.catalina.deploy.SessionCookie; import org.apache.catalina.loader.WebappLoader; import org.apache.catalina.session.StandardManager; import org.apache.catalina.startup.ContextConfig; @@ -515,6 +516,11 @@ */ private long sequenceNumber = 0; + /** + * The session cookie. + */ + private SessionCookie sessionCookie = new SessionCookie(); + /** * The status code error pages for this web application, keyed by * HTTP status code (as an Integer). @@ -1375,6 +1381,25 @@ /** + * Set the session cookie configuration. + * + * @param sessionCookie The new value + */ + public void setSessionCookie(SessionCookie sessionCookie) { + SessionCookie oldSessionCookie = this.sessionCookie; + this.sessionCookie = sessionCookie; + support.firePropertyChange("sessionCookie", oldSessionCookie, sessionCookie); + } + + + /** + * Return the session cookie configuration. + */ + public SessionCookie getSessionCookie() { + return this.sessionCookie; + } + + /** * Return the login configuration descriptor for this web application. */ public LoginConfig getLoginConfig() { Added: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java (rev 0) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.deploy; + +import java.io.Serializable; + +public class SessionCookie implements Serializable { + + protected String domain = null; + protected String path = null; + protected String comment = null; + protected boolean httpOnly = false; + protected boolean secure = false; + + public SessionCookie() { + } + + public String getDomain() { + return domain; + } + + public String getPath() { + return path; + } + + public String getComment() { + return comment; + } + + public boolean isHttpOnly() { + return httpOnly; + } + + public boolean isSecure() { + return secure; + } + + public void setDomain(String domain) { + this.domain = domain; + } + + public void setPath(String path) { + this.path = path; + } + + public void setComment(String comment) { + this.comment = comment; + } + + public void setHttpOnly(boolean httpOnly) { + this.httpOnly = httpOnly; + } + + public void setSecure(boolean secure) { + this.secure = secure; + } +} Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -192,6 +192,12 @@ digester.addRule(prefix + "Context/ResourceLink", new SetNextNamingRule("addResourceLink", "org.apache.catalina.deploy.ContextResourceLink")); + + digester.addObjectCreate(prefix + "Context/SessionCookie", + "org.apache.catalina.deploy.SessionCookie"); + digester.addSetProperties(prefix + "Context/SessionCookie"); + digester.addSetNext(prefix + "Context/SessionCookie", + "setSessionCookie", "org.apache.catalina.deploy.SessionCookie"); digester.addObjectCreate(prefix + "Context/Valve", null, // MUST be specified in the element Modified: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-04 16:36:35 UTC (rev 1514) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -260,7 +260,8 @@ String domain, String comment, int maxAge, - boolean isSecure ) + boolean isSecure, + boolean httpOnly) { StringBuffer buf = new StringBuffer(); // Servlet implementation checks name @@ -324,6 +325,11 @@ buf.append ("; Secure"); } + // HttpOnly + if (httpOnly) { + buf.append ("; HttpOnly"); + } + headerBuf.append(buf); } Added: branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java (rev 0) +++ branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java 2010-08-04 17:20:15 UTC (rev 1515) @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.tomcat.util.http; + +import javax.servlet.http.Cookie; + +public class TomcatCookie extends Cookie { + + boolean httpOnly = false; + + public TomcatCookie(String name, String value) { + super(name, value); + } + + public boolean getHttpOnly() { + return httpOnly; + } + + public void setHttpOnly(boolean httpOnly) { + this.httpOnly = httpOnly; + } + +}