Examples with SessionCookieConfig javax.servlet.SessionCookieConfig used on opensource projects

Example 1 with SessionCookieConfig

use of javax.servlet.SessionCookieConfig in project jetty.project by eclipse.

the class SessionCookieTest method testSecureSessionCookie.

@Test
public void testSecureSessionCookie() throws Exception {
    Server server = new Server();
    MockSessionIdManager idMgr = new MockSessionIdManager(server);
    idMgr.setWorkerName("node1");
    SessionHandler mgr = new SessionHandler();
    MockSessionStore store = new MockSessionStore(mgr);
    store.setSessionDataStore(new NullSessionDataStore());
    mgr.setSessionCache(store);
    mgr.setSessionIdManager(idMgr);
    long now = System.currentTimeMillis();
    Session session = new Session(null, new SessionData("123", "_foo", "0.0.0.0", now, now, now, 30));
    SessionCookieConfig sessionCookieConfig = mgr.getSessionCookieConfig();
    sessionCookieConfig.setSecure(true);
    //sessionCookieConfig.secure == true, always mark cookie as secure, irrespective of if requestIsSecure
    HttpCookie cookie = mgr.getSessionCookie(session, "/foo", true);
    assertTrue(cookie.isSecure());
    //sessionCookieConfig.secure == true, always mark cookie as secure, irrespective of if requestIsSecure
    cookie = mgr.getSessionCookie(session, "/foo", false);
    assertTrue(cookie.isSecure());
    //sessionCookieConfig.secure==false, setSecureRequestOnly==true, requestIsSecure==true
    //cookie should be secure: see SessionCookieConfig.setSecure() javadoc
    sessionCookieConfig.setSecure(false);
    cookie = mgr.getSessionCookie(session, "/foo", true);
    assertTrue(cookie.isSecure());
    //sessionCookieConfig.secure=false, setSecureRequestOnly==true, requestIsSecure==false
    //cookie is not secure: see SessionCookieConfig.setSecure() javadoc
    cookie = mgr.getSessionCookie(session, "/foo", false);
    assertFalse(cookie.isSecure());
    //sessionCookieConfig.secure=false, setSecureRequestOnly==false, requestIsSecure==false
    //cookie is not secure: not a secure request
    mgr.setSecureRequestOnly(false);
    cookie = mgr.getSessionCookie(session, "/foo", false);
    assertFalse(cookie.isSecure());
    //sessionCookieConfig.secure=false, setSecureRequestOnly==false, requestIsSecure==true
    //cookie is not secure: not on secured requests and request is secure
    cookie = mgr.getSessionCookie(session, "/foo", true);
    assertFalse(cookie.isSecure());
}

Example 2 with SessionCookieConfig

use of javax.servlet.SessionCookieConfig in project gocd by gocd.

the class Jetty9Server method setCookieExpirePeriod.

@Override
public void setCookieExpirePeriod(int cookieExpirePeriod) {
    SessionCookieConfig cookieConfig = webAppContext.getSessionHandler().getSessionManager().getSessionCookieConfig();
    cookieConfig.setHttpOnly(true);
    cookieConfig.setMaxAge(cookieExpirePeriod);
}

Example 3 with SessionCookieConfig

use of javax.servlet.SessionCookieConfig in project ddf by codice.

the class FilterInjector method injectFilter.

/**
     * Injects the filter into the passed-in servlet context. This only works if
     * the servlet has not already been initialized.
     *
     * @param serviceReference Reference to the servlet context that the filter should be
     *                         injected into.
     */
public void injectFilter(ServiceReference<ServletContext> serviceReference) {
    Bundle refBundle = serviceReference.getBundle();
    LOGGER.debug("Adding Servlet Filter for {}", refBundle.getSymbolicName());
    BundleContext bundlectx = refBundle.getBundleContext();
    ServletContext context = bundlectx.getService(serviceReference);
    try {
        SessionCookieConfig sessionCookieConfig = context.getSessionCookieConfig();
        sessionCookieConfig.setPath("/");
        sessionCookieConfig.setSecure(true);
        sessionCookieConfig.setHttpOnly(true);
    } catch (Exception e) {
        LOGGER.trace("Failed trying to set the cookie config path to /. This can usually be ignored", e);
    }
    //Jetty will place non-programmatically added filters (filters added via web.xml) in front of programmatically
    //added filters. This is probably OK in most instances, however, this security filter must ALWAYS be first.
    //This reflection hack basically tricks Jetty into believing that this filter is a web.xml filter so that it always ends up first.
    //In order for this to work correctly, the delegating filter must always be added before any other programmatically added filters.
    Field field = null;
    try {
        //this grabs the enclosing instance class, which is actually a private class
        //this is the only way to do this in Java
        field = context.getClass().getDeclaredField("this$0");
        field.setAccessible(true);
    } catch (NoSuchFieldException e) {
        LOGGER.warn("Unable to find enclosing class of ServletContext for delegating filter. Security may not work correctly", e);
    }
    Field matchAfterField = null;
    Object matchAfterValue = null;
    ServletHandler handler = null;
    if (field != null) {
        //need to grab the servlet context handler so we can get down to the handler, which is what we really need
        ServletContextHandler httpServiceContext = null;
        try {
            httpServiceContext = (ServletContextHandler) field.get(context);
        } catch (IllegalAccessException e) {
            LOGGER.warn("Unable to get the ServletContextHandler for {}. The delegating filter may not work properly.", refBundle.getSymbolicName(), e);
        }
        if (httpServiceContext != null) {
            //now that we have the handler, we can muck with the filters and state variables
            handler = httpServiceContext.getServletHandler();
            SessionHandler sessionHandler = httpServiceContext.getSessionHandler();
            if (sessionHandler != null) {
                sessionHandler.addEventListener(new WrapperListener());
            }
            if (handler != null) {
                try {
                    matchAfterField = handler.getClass().getSuperclass().getDeclaredField("_matchAfterIndex");
                    matchAfterField.setAccessible(true);
                } catch (NoSuchFieldException e) {
                    LOGGER.warn("Unable to find the matchAfterIndex value for the ServletHandler. The delegating filter may not work properly.", e);
                }
                if (matchAfterField != null) {
                    try {
                        //this value is initialized to -1 and only changes after a programmatic filter has been added
                        //so basically we are grabbing this value (should be -1) and then setting the field back to that value
                        //after we add our delegating filter to the mix
                        matchAfterValue = matchAfterField.get(handler);
                    } catch (IllegalAccessException e) {
                        LOGGER.warn("Unable to get the value of the match after field. The delegating filter may not work properly.", e);
                    }
                }
            }
        }
    }
    try {
        //This causes the value of "_matchAfterIndex" to jump to 0 which means all web.xml filters will be added in front of it
        //this isn't what we want, so we need to reset it back to what it was before
        FilterRegistration filterReg = context.addFilter(DELEGATING_FILTER, delegatingServletFilter);
        if (filterReg == null) {
            filterReg = context.getFilterRegistration(DELEGATING_FILTER);
        } else {
            ((FilterRegistration.Dynamic) filterReg).setAsyncSupported(true);
        }
        filterReg.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), true, ALL_URLS);
    } catch (IllegalStateException ise) {
        LOGGER.warn("Could not inject filter into {} because the servlet was already initialized.", refBundle.getSymbolicName(), ise);
    }
    if (matchAfterField != null && matchAfterValue != null) {
        try {
            //Reset the value back to what it was before we added our delegating filter, this should cause Jetty to behave as if
            //this was a filter added via web.xml
            matchAfterField.set(handler, matchAfterValue);
        } catch (IllegalAccessException e) {
            LOGGER.warn("Unable to set the match after field back to the original value. The delegating filter might be out of order", e);
        }
    } else {
        LOGGER.warn("Unable to set the match after field back to the original value. The delegating filter might be out of order.");
    }
}

Example 4 with SessionCookieConfig

use of javax.servlet.SessionCookieConfig in project vip by guangdada.

the class GunsServletInitializer method onStartup.

@Override
public void onStartup(ServletContext servletContext) throws ServletException {
    // This can be done here or as the last step in the method
    // Doing it in this order will initialize the Spring
    // Framework first, doing it as last step will initialize
    // the Spring Framework after the Servlet configuration is
    // established
    super.onStartup(servletContext);
    // This will set to use COOKIE only
    servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
    // This will prevent any JS on the page from accessing the
    // cookie - it will only be used/accessed by the HTTP transport
    // mechanism in use
    SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
    sessionCookieConfig.setHttpOnly(true);
}

Example 5 with SessionCookieConfig

use of javax.servlet.SessionCookieConfig in project ofbiz-framework by apache.

the class WebAppServletContextListener method contextInitialized.

/* (non-Javadoc)
     * @see javax.servlet.ServletContextListener#contextInitialized(javax.servlet.ServletContextEvent)
     */
@Override
public void contextInitialized(ServletContextEvent sce) {
    ServletContext servletContext = sce.getServletContext();
    servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));
    SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
    sessionCookieConfig.setHttpOnly(true);
    sessionCookieConfig.setSecure(true);
    sessionCookieConfig.setComment("Created by Apache OFBiz WebAppServletContextListener");
    String cookieDomain = UtilProperties.getPropertyValue("url", "cookie.domain", "");
    if (cookieDomain.length() > 0)
        sessionCookieConfig.setDomain(cookieDomain);
    sessionCookieConfig.setMaxAge(60 * 60 * 24 * 365);
    sessionCookieConfig.setPath(servletContext.getContextPath());
}