Author: markt Date: Wed Mar 10 13:56:28 2010 New Revision: 921352 URL: http://svn.apache.org/viewvc?rev=921352&view=rev Log: Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 Allow session cookie path to be configured per context With this option, the servlet 3 options and Connector.emptySessionPath there were just too many places this was being configured so the Connector option has been removed for Tomcat 7.
Modified: tomcat/trunk/java/org/apache/catalina/Context.java tomcat/trunk/java/org/apache/catalina/connector/Connector.java tomcat/trunk/java/org/apache/catalina/connector/Request.java tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/webapps/docs/config/ajp.xml tomcat/trunk/webapps/docs/config/context.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/catalina/Context.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/Context.java (original) +++ tomcat/trunk/java/org/apache/catalina/Context.java Wed Mar 10 13:56:28 2010 @@ -211,13 +211,32 @@ public interface Context extends Contain * @param sessionCookieDomain The domain to use */ public void setSessionCookieDomain(String sessionCookieDomain); + + + /** + * Gets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath(); + + + /** + * Sets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath); + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext(); - /** * Return the alternate Deployment Descriptor name. Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Wed Mar 10 13:56:28 2010 @@ -105,12 +105,6 @@ public class Connector extends Lifecycle /** - * Use "/" as path for session cookies ? - */ - protected boolean emptySessionPath = false; - - - /** * The "enable DNS lookups" flag for this Connector. */ protected boolean enableLookups = false; @@ -398,29 +392,6 @@ public class Connector extends Lifecycle /** - * Return the "empty session path" flag. - */ - public boolean getEmptySessionPath() { - - return (this.emptySessionPath); - - } - - - /** - * Set the "empty session path" flag. - * - * @param emptySessionPath The new "empty session path" flag value - */ - public void setEmptySessionPath(boolean emptySessionPath) { - - this.emptySessionPath = emptySessionPath; - setProperty("emptySessionPath", String.valueOf(emptySessionPath)); - - } - - - /** * Return the "enable DNS lookups" flag. */ public boolean getEnableLookups() { Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Mar 10 13:56:28 2010 @@ -2273,14 +2273,8 @@ public class Request if (response != null) { Cookie newCookie = - ApplicationSessionCookieConfig.createSessionCookie( - context.getServletContext().getSessionCookieConfig(), - newSessionId, - secure, - context.getUseHttpOnly(), - response.getConnector().getEmptySessionPath(), - context.getEncodedPath(), - context.getSessionCookieDomain()); + ApplicationSessionCookieConfig.createSessionCookie(context, + newSessionId, secure); response.addCookie(newCookie); } } @@ -2542,7 +2536,7 @@ public class Request // Do not reuse the session id if it is from a URL, to prevent possible // phishing attacks // Use the SSL session ID if one is present. - if ((connector.getEmptySessionPath() + if (("/".equals(context.getSessionCookiePath()) && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) { session = manager.createSession(getRequestedSessionId()); } else { @@ -2556,13 +2550,7 @@ public class Request SessionTrackingMode.COOKIE)) { Cookie cookie = ApplicationSessionCookieConfig.createSessionCookie( - context.getServletContext().getSessionCookieConfig(), - session.getIdInternal(), - isSecure(), - context.getUseHttpOnly(), - connector.getEmptySessionPath(), - context.getEncodedPath(), - context.getSessionCookieDomain()); + context, session.getIdInternal(), isSecure()); response.addCookieInternal(cookie); } Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java Wed Mar 10 13:56:28 2010 @@ -20,6 +20,7 @@ package org.apache.catalina.core; import javax.servlet.SessionCookieConfig; import javax.servlet.http.Cookie; +import org.apache.catalina.Context; import org.apache.catalina.Globals; public class ApplicationSessionCookieConfig implements SessionCookieConfig { @@ -105,62 +106,60 @@ public class ApplicationSessionCookieCon /** * Creates a new session cookie for the given session ID * - * @param scc The default session cookie configuration + * @param conetxt The Context for the web application * @param sessionId The ID of the session for which the cookie will be * created * @param secure Should session cookie be configured as secure - * @param httpOnly Should session cookie be configured as httpOnly - * @param emptyPath Should session cookie be configured with empty path - * @param contextPath Context path to use if required - * @param domain Domain to use for the session cookie. If null, use the - * domain specified by the scc parameter. */ - public static Cookie createSessionCookie(SessionCookieConfig scc, - String sessionId, boolean secure, boolean httpOnly, - boolean emptyPath, String contextPath, String domain) { - - // Session config can over-ride default name - String cookieName = scc.getName(); - if (cookieName == null) { - cookieName = Globals.SESSION_COOKIE_NAME; - } - Cookie cookie = new Cookie(cookieName, sessionId); + public static Cookie createSessionCookie(Context context, + String sessionId, boolean secure) { + + SessionCookieConfig scc = + context.getServletContext().getSessionCookieConfig(); + + // NOTE: The priority order for session cookie configuration is: + // 1. Context level configuration + // 2. Values from SessionCookieConfig + // 3. Defaults + + String cookieName = scc.getName(); + if (cookieName == null) { + cookieName = Globals.SESSION_COOKIE_NAME; + } + Cookie cookie = new Cookie(cookieName, sessionId); - // Just apply the defaults. - cookie.setMaxAge(scc.getMaxAge()); - cookie.setComment(scc.getComment()); + // Just apply the defaults. + cookie.setMaxAge(scc.getMaxAge()); + cookie.setComment(scc.getComment()); - if (domain == null) { - // Avoid possible NPE - if (scc.getDomain() != null) { - cookie.setDomain(scc.getDomain()); - } - } else { - cookie.setDomain(domain); - } - - // Always set secure if the request is secure - if (scc.isSecure() || secure) { - cookie.setSecure(true); - } - - // Always set httpOnly if the context is configured for that - if (scc.isHttpOnly() || httpOnly) { - cookie.setHttpOnly(true); - } + if (context.getSessionCookieDomain() == null) { + // Avoid possible NPE + if (scc.getDomain() != null) { + cookie.setDomain(scc.getDomain()); + } + } else { + cookie.setDomain(context.getSessionCookieDomain()); + } + + // Always set secure if the request is secure + if (scc.isSecure() || secure) { + cookie.setSecure(true); + } + + // Always set httpOnly if the context is configured for that + if (scc.isHttpOnly() || context.getUseHttpOnly()) { + cookie.setHttpOnly(true); + } - // Don't set the path if the connector is configured to over-ride - if (!emptyPath && scc.getPath() != null) { - cookie.setPath(scc.getPath()); - } else { - if (!emptyPath && contextPath != null && (contextPath.length() > 0)) { - cookie.setPath(contextPath); - } else { - cookie.setPath("/"); - } - } - return cookie; - } - - + String contextPath = context.getSessionCookiePath(); + if (contextPath == null || contextPath.length() == 0) { + contextPath = scc.getPath(); + } + if (contextPath == null || contextPath.length() == 0) { + contextPath = context.getEncodedPath(); + } + cookie.setPath(contextPath); + + return cookie; + } } Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Wed Mar 10 13:56:28 2010 @@ -731,6 +731,13 @@ public class StandardContext /** + * The path to use for session cookies. <code>null</code> indicates that + * the path is controlled by the application. + */ + private String sessionCookiePath; + + + /** * The Jar scanner to use to search for Jars that might contain * configuration information such as TLDs or web-fragment.xml files. */ @@ -1308,6 +1315,32 @@ public class StandardContext /** + * Gets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath() { + return sessionCookiePath; + } + + + /** + * Sets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath) { + String oldSessionCookiePath = this.sessionCookiePath; + this.sessionCookiePath = sessionCookiePath; + support.firePropertyChange("sessionCookiePath", + oldSessionCookiePath, sessionCookiePath); + } + + + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext() { Modified: tomcat/trunk/webapps/docs/config/ajp.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/ajp.xml (original) +++ tomcat/trunk/webapps/docs/config/ajp.xml Wed Mar 10 13:56:28 2010 @@ -79,13 +79,6 @@ HTTP method. If not specified, this attribute is set to false.</p> </attribute> - <attribute name="emptySessionPath" required="false"> - <p>If set to <code>true</code>, all paths for session cookies will be set - to <code>/</code>. This can be useful for portlet specification - implementations. If not specified, this attribute is set to - <code>false</code>.</p> - </attribute> - <attribute name="enableLookups" required="false"> <p>Set to <code>true</code> if you want calls to <code>request.getRemoteHost()</code> to perform DNS lookups in Modified: tomcat/trunk/webapps/docs/config/context.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/context.xml?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/context.xml (original) +++ tomcat/trunk/webapps/docs/config/context.xml Wed Mar 10 13:56:28 2010 @@ -244,6 +244,17 @@ used.</p> </attribute> + <attribute name="sessionCookiePath" required="false"> + <p>The path to be used for all session cookies created for this + context. If set, this overrides any path set by the web application. + If not set, the value specified by the web application will be used, or + the context path used if the web application does not explicitly set + one. To configure all web application to use an empty path (this can be + useful for portlet specification implementations) set this attribute to + <code>/</code> in the global <code>CATALINA_BASE/conf/context.xml</code> + file.</p> + </attribute> + <attribute name="wrapperClass" required="false"> <p>Java class name of the <code>org.apache.catalina.Wrapper</code> implementation class that will be used for servlets managed by this Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=921352&r1=921351&r2=921352&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 10 13:56:28 2010 @@ -79,13 +79,6 @@ HTTP method. If not specified, this attribute is set to false.</p> </attribute> - <attribute name="emptySessionPath" required="false"> - <p>If set to <code>true</code>, all paths for session cookies will be set - to <code>/</code>. This can be useful for portlet specification - implementations. If not specified, this attribute is set to - <code>false</code>.</p> - </attribute> - <attribute name="enableLookups" required="false"> <p>Set to <code>true</code> if you want calls to <code>request.getRemoteHost()</code> to perform DNS lookups in --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org