Author: mmillson
Date: 2010-08-04 13:20:15 -0400 (Wed, 04 Aug 2010)
New Revision: 1515
Added:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java
Log:
Add HttpOnly Cookie support for [JBPAPP-4794].
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/Context.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -30,6 +30,7 @@
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.NamingResources;
import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.deploy.SessionCookie;
import org.apache.catalina.util.CharsetMapper;
@@ -173,8 +174,21 @@
*/
public boolean getCookies();
+ /**
+ * Set the session cookie configuration.
+ *
+ * @param sessionCookie The new value
+ */
+ public void setSessionCookie(SessionCookie sessionCookie);
+
/**
+ * Return the session cookie configuration.
+ */
+ public SessionCookie getSessionCookie();
+
+
+ /**
* Set the "use cookies for session ids" flag.
*
* @param cookies The new flag
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -52,6 +52,7 @@
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.Parameters;
import org.apache.tomcat.util.http.ServerCookie;
+import org.apache.tomcat.util.http.TomcatCookie;
import org.apache.tomcat.util.http.mapper.MappingData;
import org.apache.coyote.ActionCode;
@@ -2296,7 +2297,7 @@
// Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getCookies()) {
- Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+ TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
response.addCookieInternal(cookie);
@@ -2316,7 +2317,7 @@
*
* @param cookie The JSESSIONID cookie to be configured
*/
- protected void configureSessionCookie(Cookie cookie) {
+ protected void configureSessionCookie(TomcatCookie cookie) {
cookie.setMaxAge(-1);
String contextPath = null;
if (!connector.getEmptySessionPath() && (getContext() != null)) {
@@ -2327,6 +2328,9 @@
} else {
cookie.setPath("/");
}
+ if (context.getSessionCookie().isHttpOnly()) {
+ cookie.setHttpOnly(true);
+ }
if (isSecure()) {
cookie.setSecure(true);
}
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -51,6 +51,7 @@
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.ServerCookie;
+import org.apache.tomcat.util.http.TomcatCookie;
import org.apache.tomcat.util.net.URL;
/**
@@ -962,7 +963,7 @@
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), false);
return null;
}
});
@@ -970,7 +971,7 @@
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), false);
}
// if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
@@ -983,6 +984,47 @@
/**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ */
+ public void addCookieInternal(final TomcatCookie cookie) {
+
+ if (isCommitted())
+ return;
+
+ final StringBuffer sb = new StringBuffer();
+ // web application code can receive a IllegalArgumentException
+ // from the appendCookieValue invocation
+ if (SecurityUtil.isPackageProtectionEnabled()) {
+ AccessController.doPrivileged(new PrivilegedAction() {
+ public Object run(){
+ ServerCookie.appendCookieValue
+ (sb, cookie.getVersion(), cookie.getName(),
+ cookie.getValue(), cookie.getPath(),
+ cookie.getDomain(), cookie.getComment(),
+ cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly());
+ return null;
+ }
+ });
+ } else {
+ ServerCookie.appendCookieValue
+ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
+ cookie.getPath(), cookie.getDomain(), cookie.getComment(),
+ cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly());
+ }
+ // if we reached here, no exception, cookie is valid
+ // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+ // RFC2965 is not supported by browsers and the Servlet spec
+ // asks for 2109.
+ addHeader("Set-Cookie", sb.toString());
+
+ cookies.add(cookie);
+ }
+
+
+ /**
* Add the specified date header to the specified value.
*
* @param name Name of the header to set
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -83,6 +83,7 @@
import org.apache.catalina.deploy.NamingResources;
import org.apache.catalina.deploy.SecurityCollection;
import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.deploy.SessionCookie;
import org.apache.catalina.loader.WebappLoader;
import org.apache.catalina.session.StandardManager;
import org.apache.catalina.startup.ContextConfig;
@@ -515,6 +516,11 @@
*/
private long sequenceNumber = 0;
+ /**
+ * The session cookie.
+ */
+ private SessionCookie sessionCookie = new SessionCookie();
+
/**
* The status code error pages for this web application, keyed by
* HTTP status code (as an Integer).
@@ -1375,6 +1381,25 @@
/**
+ * Set the session cookie configuration.
+ *
+ * @param sessionCookie The new value
+ */
+ public void setSessionCookie(SessionCookie sessionCookie) {
+ SessionCookie oldSessionCookie = this.sessionCookie;
+ this.sessionCookie = sessionCookie;
+ support.firePropertyChange("sessionCookie", oldSessionCookie,
sessionCookie);
+ }
+
+
+ /**
+ * Return the session cookie configuration.
+ */
+ public SessionCookie getSessionCookie() {
+ return this.sessionCookie;
+ }
+
+ /**
* Return the login configuration descriptor for this web application.
*/
public LoginConfig getLoginConfig() {
Added:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java
(rev 0)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/deploy/SessionCookie.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.deploy;
+
+import java.io.Serializable;
+
+public class SessionCookie implements Serializable {
+
+ protected String domain = null;
+ protected String path = null;
+ protected String comment = null;
+ protected boolean httpOnly = false;
+ protected boolean secure = false;
+
+ public SessionCookie() {
+ }
+
+ public String getDomain() {
+ return domain;
+ }
+
+ public String getPath() {
+ return path;
+ }
+
+ public String getComment() {
+ return comment;
+ }
+
+ public boolean isHttpOnly() {
+ return httpOnly;
+ }
+
+ public boolean isSecure() {
+ return secure;
+ }
+
+ public void setDomain(String domain) {
+ this.domain = domain;
+ }
+
+ public void setPath(String path) {
+ this.path = path;
+ }
+
+ public void setComment(String comment) {
+ this.comment = comment;
+ }
+
+ public void setHttpOnly(boolean httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+ public void setSecure(boolean secure) {
+ this.secure = secure;
+ }
+}
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -192,6 +192,12 @@
digester.addRule(prefix + "Context/ResourceLink",
new SetNextNamingRule("addResourceLink",
"org.apache.catalina.deploy.ContextResourceLink"));
+
+ digester.addObjectCreate(prefix + "Context/SessionCookie",
+ "org.apache.catalina.deploy.SessionCookie");
+ digester.addSetProperties(prefix + "Context/SessionCookie");
+ digester.addSetNext(prefix + "Context/SessionCookie",
+ "setSessionCookie",
"org.apache.catalina.deploy.SessionCookie");
digester.addObjectCreate(prefix + "Context/Valve",
null, // MUST be specified in the element
Modified:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-04
16:36:35 UTC (rev 1514)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -260,7 +260,8 @@
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean httpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
@@ -324,6 +325,11 @@
buf.append ("; Secure");
}
+ // HttpOnly
+ if (httpOnly) {
+ buf.append ("; HttpOnly");
+ }
+
headerBuf.append(buf);
}
Added:
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java
(rev 0)
+++
branches/JBOSSWEB_2_0_0_GA_CP11_JBPAPP-4794/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java 2010-08-04
17:20:15 UTC (rev 1515)
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.tomcat.util.http;
+
+import javax.servlet.http.Cookie;
+
+public class TomcatCookie extends Cookie {
+
+ boolean httpOnly = false;
+
+ public TomcatCookie(String name, String value) {
+ super(name, value);
+ }
+
+ public boolean getHttpOnly() {
+ return httpOnly;
+ }
+
+ public void setHttpOnly(boolean httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+}