Author: markt
Date: Sat Jun 13 20:26:43 2009
New Revision: 784463
URL: http://svn.apache.org/viewvc?rev=784463&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
Port httpOnly support from 6.0.x
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/ServerCookie.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Context.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Request.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Response.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/container/tc5.5.x/webapps/docs/config/context.xml
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/ServerCookie.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/ServerCookie.java?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/ServerCookie.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/http/ServerCookie.java
Sat Jun 13 20:26:43 2009
@@ -284,7 +284,8 @@
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean isHttpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
@@ -350,6 +351,10 @@
buf.append ("; Secure");
}
+ // HttpOnly
+ if (isHttpOnly) {
+ buf.append("; HttpOnly");
+ }
headerBuf.append(buf);
}
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Context.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Context.java?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Context.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Context.java
Sat Jun 13 20:26:43 2009
@@ -181,8 +181,24 @@
*/
public void setCookies(boolean cookies);
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly();
+
/**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly);
+
+ /**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext();
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Request.java?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Request.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Request.java
Sat Jun 13 20:26:43 2009
@@ -2237,7 +2237,7 @@
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookie(cookie);
+ response.addCookieInternal(cookie, context.getUseHttpOnly());
}
if (session != null) {
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Response.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Response.java?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Response.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/Response.java
Sat Jun 13 20:26:43 2009
@@ -932,6 +932,17 @@
* @param cookie Cookie to be added
*/
public void addCookie(final Cookie cookie) {
+ addCookieInternal(cookie, false);
+ }
+
+ /**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ * @param httpOnly Should the httpOnly flag be set on this cookie
+ */
+ public void addCookieInternal(final Cookie cookie, final boolean httpOnly)
{
if (isCommitted())
return;
@@ -950,7 +961,8 @@
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(),
+ httpOnly);
return null;
}
});
@@ -958,7 +970,7 @@
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(),
cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), httpOnly);
}
// if we reached here, no exception, cookie is valid
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
Sat Jun 13 20:26:43 2009
@@ -656,6 +656,10 @@
*/
private boolean saveConfig = true;
+ /**
+ * The flag that indicates that session cookies should use HttpOnly
+ */
+ private boolean useHttpOnly = false;
// ----------------------------------------------------- Context Properties
@@ -1045,6 +1049,33 @@
new Boolean(this.cookies));
}
+
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly() {
+ return useHttpOnly;
+ }
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly) {
+ boolean oldUseHttpOnly = this.useHttpOnly;
+ this.useHttpOnly = useHttpOnly;
+ support.firePropertyChange("useHttpOnly",
+ new Boolean(oldUseHttpOnly),
+ new Boolean(this.useHttpOnly));
+ }
+
+
/**
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sat Jun 13 20:26:43 2009
@@ -87,6 +87,10 @@
<bug>42707</bug>: Make adding a host alias via JMX take effect
immediately. (markt)
</fix>
+ <add>
+ <bug>44382</bug>: Add support for using httpOnly for session cookies.
+ This is disabled by default. (markt/fhanik)
+ </add>
<fix>
<bug>45576</bug>: JAAS Realm now works with DIGEST authentication.
(markt)
Modified: tomcat/container/tc5.5.x/webapps/docs/config/context.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/context.xml?rev=784463&r1=784462&r2=784463&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/config/context.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/config/context.xml Sat Jun 13
20:26:43 2009
@@ -235,6 +235,13 @@
implementation class that will be used for servlets managed by this
Context. If not specified, a standard default value will be used.</p>
</attribute>
+
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>false</code>.</p>
+ </attribute>
+
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
