Vojtech Szocs has uploaded a new change for review.
Change subject: webadmin,root: Prevent JSESSIONID cookie for root path
......................................................................
webadmin,root: Prevent JSESSIONID cookie for root path
Engine "root" web application containing various utility
servlets sets JSESSIONID cookie for / (root path) upon
following occasions:
a. when requesting document file for a missing language,
DocsServlet ensures HttpSession -> JSESSIONID cookie
in order to read/store "langPageShown" attribute:
"Show missing language page only for the first time"
b. when processing any JSP page, since each JSP gets
HttpSession -> JSESSIONID cookie created eagerly:
- ovirt-engine.jsp (splash page)
- no_lang.jsp (missing language page)
However, setting cookie X for path=/ essentially shadows
any other cookie(s) with same name (X) set for path=/foo
Consider following example:
1. User visits WebAdmin:
- new cookie JSESSIONID for path=/webadmin
- WebAdmin JavaScript reads JSESSIONID cookie,
correct value is returned
2. User visits "root" web application:
- new cookie JSESSIONID for path=/
- WebAdmin JavaScript reads JSESSIONID cookie,
wrong value is returned because there are two
JSESSIONID cookies and path=/ takes precedence
This patch prevents "root" web application from using
JSESSIONID cookie (see occasions a. and b. above), which
prevents cookie shadowing for WebAdmin.
In future, we should consider using different "session"
cookie names for different web applications in order to
avoid such problems.
Change-Id: I3b4c95f0a716bf3cc05d102a1026b3c6aee5879c
Bug-Url: https://bugzilla.redhat.com/966525
Signed-off-by: Vojtech Szocs <vsz...@redhat.com>
---
M
backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
M backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
M backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
3 files changed, 26 insertions(+), 5 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/57/15057/1
diff --git
a/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
b/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
index 200e36d..1711d2f 100644
---
a/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
+++
b/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
@@ -8,6 +8,7 @@
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -42,12 +43,12 @@
if (file == null) {
response.sendError(HttpServletResponse.SC_NOT_FOUND);
} else if (!response.isCommitted()){ //If the response is committed,
we have already redirected.
- Object languagePageShown =
request.getSession(true).getAttribute(LANG_PAGE_SHOWN);
+ boolean languagePageShown = isLangPageShown(request);
if (!file.equals(originalFile)) {
//We determined that we are going to redirect the user to the
English version URI.
String redirect = request.getServletPath() +
replaceLocaleWithUSLocale(request.getPathInfo(), locale);
- if ((languagePageShown == null ||
!Boolean.parseBoolean(languagePageShown.toString()))) {
- request.getSession(true).setAttribute(LANG_PAGE_SHOWN,
true);
+ if (!languagePageShown) {
+ setLangPageShown(response, true);
request.setAttribute(LocaleFilter.LOCALE, locale);
request.setAttribute(ENGLISH_HREF, redirect);
RequestDispatcher dispatcher =
request.getRequestDispatcher(LANG_JSP);
@@ -66,6 +67,26 @@
}
}
+ private boolean isLangPageShown(HttpServletRequest request) {
+ boolean result = false;
+ Cookie[] cookies = request.getCookies();
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+ if (LANG_PAGE_SHOWN.equalsIgnoreCase(cookie.getName())) {
+ result = Boolean.parseBoolean(cookie.getValue());
+ break;
+ }
+ }
+ }
+ return result;
+ }
+
+ private void setLangPageShown(HttpServletResponse response, boolean value)
{
+ Cookie cookie = new Cookie(LANG_PAGE_SHOWN, Boolean.toString(value));
+ // Don't set max age, i.e. let this be a session cookie
+ response.addCookie(cookie);
+ }
+
/**
* Determine the actual file based on the passed in {@code
HttpServletRequest} path and
* the passed in {@code Locale}. If the Locale is invalid or cannot be
found, use the
diff --git
a/backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
b/backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
index f3fabc8..818d4d5 100644
--- a/backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
+++ b/backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
@@ -1,4 +1,4 @@
-<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
+<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8" session="false" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
<!DOCTYPE html>
<html>
diff --git
a/backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
b/backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
index 501fce3..8f592e0 100644
--- a/backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
+++ b/backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
@@ -1,4 +1,4 @@
-<%@ page pageEncoding="UTF-8" %>
+<%@ page pageEncoding="UTF-8" session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"; %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"; %>
<fmt:setBundle basename="org.ovirt.engine.core.languages" var="lang" />
--
To view, visit http://gerrit.ovirt.org/15057
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b4c95f0a716bf3cc05d102a1026b3c6aee5879c
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Vojtech Szocs <vsz...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
