From: markt Date: Wed, 10 Mar 2010 13:56:28 +0000 (+0000) Subject: Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=09b1b1bfc97b27a057403b024fd796b553dda6b9;p=tomcat7.0 Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 Allow session cookie path to be configured per context With this option, the servlet 3 options and Connector.emptySessionPath there were just too many places this was being configured so the Connector option has been removed for Tomcat 7. Based on a patch by Brane F. Gracnar git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@921352 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java index 621678737..5efefa4df 100644 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java @@ -211,13 +211,32 @@ public interface Context extends Container { * @param sessionCookieDomain The domain to use */ public void setSessionCookieDomain(String sessionCookieDomain); + + + /** + * Gets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath(); + + + /** + * Sets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath); + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext(); - /** * Return the alternate Deployment Descriptor name. diff --git a/java/org/apache/catalina/connector/Connector.java b/java/org/apache/catalina/connector/Connector.java index 9a735dfa1..92c49a50c 100644 --- a/java/org/apache/catalina/connector/Connector.java +++ b/java/org/apache/catalina/connector/Connector.java @@ -105,12 +105,6 @@ public class Connector extends LifecycleBase implements MBeanRegistration { /** - * Use "/" as path for session cookies ? - */ - protected boolean emptySessionPath = false; - - - /** * The "enable DNS lookups" flag for this Connector. */ protected boolean enableLookups = false; @@ -398,29 +392,6 @@ public class Connector extends LifecycleBase implements MBeanRegistration { /** - * Return the "empty session path" flag. - */ - public boolean getEmptySessionPath() { - - return (this.emptySessionPath); - - } - - - /** - * Set the "empty session path" flag. - * - * @param emptySessionPath The new "empty session path" flag value - */ - public void setEmptySessionPath(boolean emptySessionPath) { - - this.emptySessionPath = emptySessionPath; - setProperty("emptySessionPath", String.valueOf(emptySessionPath)); - - } - - - /** * Return the "enable DNS lookups" flag. */ public boolean getEnableLookups() { diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index dd5c01cf3..65d4091e5 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2273,14 +2273,8 @@ public class Request if (response != null) { Cookie newCookie = - ApplicationSessionCookieConfig.createSessionCookie( - context.getServletContext().getSessionCookieConfig(), - newSessionId, - secure, - context.getUseHttpOnly(), - response.getConnector().getEmptySessionPath(), - context.getEncodedPath(), - context.getSessionCookieDomain()); + ApplicationSessionCookieConfig.createSessionCookie(context, + newSessionId, secure); response.addCookie(newCookie); } } @@ -2542,7 +2536,7 @@ public class Request // Do not reuse the session id if it is from a URL, to prevent possible // phishing attacks // Use the SSL session ID if one is present. - if ((connector.getEmptySessionPath() + if (("/".equals(context.getSessionCookiePath()) && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) { session = manager.createSession(getRequestedSessionId()); } else { @@ -2556,13 +2550,7 @@ public class Request SessionTrackingMode.COOKIE)) { Cookie cookie = ApplicationSessionCookieConfig.createSessionCookie( - context.getServletContext().getSessionCookieConfig(), - session.getIdInternal(), - isSecure(), - context.getUseHttpOnly(), - connector.getEmptySessionPath(), - context.getEncodedPath(), - context.getSessionCookieDomain()); + context, session.getIdInternal(), isSecure()); response.addCookieInternal(cookie); } diff --git a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java index faa22a349..7e76eda89 100644 --- a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java +++ b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java @@ -20,6 +20,7 @@ package org.apache.catalina.core; import javax.servlet.SessionCookieConfig; import javax.servlet.http.Cookie; +import org.apache.catalina.Context; import org.apache.catalina.Globals; public class ApplicationSessionCookieConfig implements SessionCookieConfig { @@ -105,62 +106,60 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig { /** * Creates a new session cookie for the given session ID * - * @param scc The default session cookie configuration + * @param conetxt The Context for the web application * @param sessionId The ID of the session for which the cookie will be * created * @param secure Should session cookie be configured as secure - * @param httpOnly Should session cookie be configured as httpOnly - * @param emptyPath Should session cookie be configured with empty path - * @param contextPath Context path to use if required - * @param domain Domain to use for the session cookie. If null, use the - * domain specified by the scc parameter. */ - public static Cookie createSessionCookie(SessionCookieConfig scc, - String sessionId, boolean secure, boolean httpOnly, - boolean emptyPath, String contextPath, String domain) { - - // Session config can over-ride default name - String cookieName = scc.getName(); - if (cookieName == null) { - cookieName = Globals.SESSION_COOKIE_NAME; - } - Cookie cookie = new Cookie(cookieName, sessionId); + public static Cookie createSessionCookie(Context context, + String sessionId, boolean secure) { + + SessionCookieConfig scc = + context.getServletContext().getSessionCookieConfig(); + + // NOTE: The priority order for session cookie configuration is: + // 1. Context level configuration + // 2. Values from SessionCookieConfig + // 3. Defaults + + String cookieName = scc.getName(); + if (cookieName == null) { + cookieName = Globals.SESSION_COOKIE_NAME; + } + Cookie cookie = new Cookie(cookieName, sessionId); - // Just apply the defaults. - cookie.setMaxAge(scc.getMaxAge()); - cookie.setComment(scc.getComment()); + // Just apply the defaults. + cookie.setMaxAge(scc.getMaxAge()); + cookie.setComment(scc.getComment()); - if (domain == null) { - // Avoid possible NPE - if (scc.getDomain() != null) { - cookie.setDomain(scc.getDomain()); - } - } else { - cookie.setDomain(domain); - } - - // Always set secure if the request is secure - if (scc.isSecure() || secure) { - cookie.setSecure(true); - } - - // Always set httpOnly if the context is configured for that - if (scc.isHttpOnly() || httpOnly) { - cookie.setHttpOnly(true); - } + if (context.getSessionCookieDomain() == null) { + // Avoid possible NPE + if (scc.getDomain() != null) { + cookie.setDomain(scc.getDomain()); + } + } else { + cookie.setDomain(context.getSessionCookieDomain()); + } + + // Always set secure if the request is secure + if (scc.isSecure() || secure) { + cookie.setSecure(true); + } + + // Always set httpOnly if the context is configured for that + if (scc.isHttpOnly() || context.getUseHttpOnly()) { + cookie.setHttpOnly(true); + } - // Don't set the path if the connector is configured to over-ride - if (!emptyPath && scc.getPath() != null) { - cookie.setPath(scc.getPath()); - } else { - if (!emptyPath && contextPath != null && (contextPath.length() > 0)) { - cookie.setPath(contextPath); - } else { - cookie.setPath("/"); - } - } - return cookie; - } - - + String contextPath = context.getSessionCookiePath(); + if (contextPath == null || contextPath.length() == 0) { + contextPath = scc.getPath(); + } + if (contextPath == null || contextPath.length() == 0) { + contextPath = context.getEncodedPath(); + } + cookie.setPath(contextPath); + + return cookie; + } } diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java index bd6d55433..9faaa62b8 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java @@ -731,6 +731,13 @@ public class StandardContext /** + * The path to use for session cookies. null indicates that + * the path is controlled by the application. + */ + private String sessionCookiePath; + + + /** * The Jar scanner to use to search for Jars that might contain * configuration information such as TLDs or web-fragment.xml files. */ @@ -1308,6 +1315,32 @@ public class StandardContext /** + * Gets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath() { + return sessionCookiePath; + } + + + /** + * Sets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath) { + String oldSessionCookiePath = this.sessionCookiePath; + this.sessionCookiePath = sessionCookiePath; + support.firePropertyChange("sessionCookiePath", + oldSessionCookiePath, sessionCookiePath); + } + + + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext() { diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index b809b4696..934d3a243 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -79,13 +79,6 @@ HTTP method. If not specified, this attribute is set to false.

- -

If set to true, all paths for session cookies will be set - to /. This can be useful for portlet specification - implementations. If not specified, this attribute is set to - false.

- -

Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml index 99369c25b..ca7f227ee 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -244,6 +244,17 @@ used.

 + +

The path to be used for all session cookies created for this + context. If set, this overrides any path set by the web application. + If not set, the value specified by the web application will be used, or + the context path used if the web application does not explicitly set + one. To configure all web application to use an empty path (this can be + useful for portlet specification implementations) set this attribute to + / in the global CATALINA_BASE/conf/context.xml + file.

+ +

Java class name of the org.apache.catalina.Wrapper implementation class that will be used for servlets managed by this diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 1dd3a0e8e..70901c0e6 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -79,13 +79,6 @@ HTTP method. If not specified, this attribute is set to false.

 - -

If set to true, all paths for session cookies will be set - to /. This can be useful for portlet specification - implementations. If not specified, this attribute is set to - false.

- -

Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in