Author: markt
Date: Wed Mar 10 13:56:28 2010
New Revision: 921352
URL: http://svn.apache.org/viewvc?rev=921352&view=rev
Log:
Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
Allow session cookie path to be configured per context
With this option, the servlet 3 options and Connector.emptySessionPath there
were just too many places this was being configured so the Connector option has
been removed for Tomcat 7.
Modified:
tomcat/trunk/java/org/apache/catalina/Context.java
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/webapps/docs/config/ajp.xml
tomcat/trunk/webapps/docs/config/context.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Wed Mar 10 13:56:28 2010
@@ -211,13 +211,32 @@ public interface Context extends Contain
* @param sessionCookieDomain The domain to use
*/
public void setSessionCookieDomain(String sessionCookieDomain);
+
+
+ /**
+ * Gets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath();
+
+
+ /**
+ * Sets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath);
+
/**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext();
-
/**
* Return the alternate Deployment Descriptor name.
Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Wed Mar 10
13:56:28 2010
@@ -105,12 +105,6 @@ public class Connector extends Lifecycle
/**
- * Use "/" as path for session cookies ?
- */
- protected boolean emptySessionPath = false;
-
-
- /**
* The "enable DNS lookups" flag for this Connector.
*/
protected boolean enableLookups = false;
@@ -398,29 +392,6 @@ public class Connector extends Lifecycle
/**
- * Return the "empty session path" flag.
- */
- public boolean getEmptySessionPath() {
-
- return (this.emptySessionPath);
-
- }
-
-
- /**
- * Set the "empty session path" flag.
- *
- * @param emptySessionPath The new "empty session path" flag value
- */
- public void setEmptySessionPath(boolean emptySessionPath) {
-
- this.emptySessionPath = emptySessionPath;
- setProperty("emptySessionPath", String.valueOf(emptySessionPath));
-
- }
-
-
- /**
* Return the "enable DNS lookups" flag.
*/
public boolean getEnableLookups() {
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Mar 10
13:56:28 2010
@@ -2273,14 +2273,8 @@ public class Request
if (response != null) {
Cookie newCookie =
- ApplicationSessionCookieConfig.createSessionCookie(
- context.getServletContext().getSessionCookieConfig(),
- newSessionId,
- secure,
- context.getUseHttpOnly(),
- response.getConnector().getEmptySessionPath(),
- context.getEncodedPath(),
- context.getSessionCookieDomain());
+ ApplicationSessionCookieConfig.createSessionCookie(context,
+ newSessionId, secure);
response.addCookie(newCookie);
}
}
@@ -2542,7 +2536,7 @@ public class Request
// Do not reuse the session id if it is from a URL, to prevent possible
// phishing attacks
// Use the SSL session ID if one is present.
- if ((connector.getEmptySessionPath()
+ if (("/".equals(context.getSessionCookiePath())
&& isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
session = manager.createSession(getRequestedSessionId());
} else {
@@ -2556,13 +2550,7 @@ public class Request
SessionTrackingMode.COOKIE)) {
Cookie cookie =
ApplicationSessionCookieConfig.createSessionCookie(
- context.getServletContext().getSessionCookieConfig(),
- session.getIdInternal(),
- isSecure(),
- context.getUseHttpOnly(),
- connector.getEmptySessionPath(),
- context.getEncodedPath(),
- context.getSessionCookieDomain());
+ context, session.getIdInternal(), isSecure());
response.addCookieInternal(cookie);
}
Modified:
tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
Wed Mar 10 13:56:28 2010
@@ -20,6 +20,7 @@ package org.apache.catalina.core;
import javax.servlet.SessionCookieConfig;
import javax.servlet.http.Cookie;
+import org.apache.catalina.Context;
import org.apache.catalina.Globals;
public class ApplicationSessionCookieConfig implements SessionCookieConfig {
@@ -105,62 +106,60 @@ public class ApplicationSessionCookieCon
/**
* Creates a new session cookie for the given session ID
*
- * @param scc The default session cookie configuration
+ * @param conetxt The Context for the web application
* @param sessionId The ID of the session for which the cookie will be
* created
* @param secure Should session cookie be configured as secure
- * @param httpOnly Should session cookie be configured as httpOnly
- * @param emptyPath Should session cookie be configured with empty path
- * @param contextPath Context path to use if required
- * @param domain Domain to use for the session cookie. If null, use
the
- * domain specified by the scc parameter.
*/
- public static Cookie createSessionCookie(SessionCookieConfig scc,
- String sessionId, boolean secure, boolean httpOnly,
- boolean emptyPath, String contextPath, String domain) {
-
- // Session config can over-ride default name
- String cookieName = scc.getName();
- if (cookieName == null) {
- cookieName = Globals.SESSION_COOKIE_NAME;
- }
- Cookie cookie = new Cookie(cookieName, sessionId);
+ public static Cookie createSessionCookie(Context context,
+ String sessionId, boolean secure) {
+
+ SessionCookieConfig scc =
+ context.getServletContext().getSessionCookieConfig();
+
+ // NOTE: The priority order for session cookie configuration is:
+ // 1. Context level configuration
+ // 2. Values from SessionCookieConfig
+ // 3. Defaults
+
+ String cookieName = scc.getName();
+ if (cookieName == null) {
+ cookieName = Globals.SESSION_COOKIE_NAME;
+ }
+ Cookie cookie = new Cookie(cookieName, sessionId);
- // Just apply the defaults.
- cookie.setMaxAge(scc.getMaxAge());
- cookie.setComment(scc.getComment());
+ // Just apply the defaults.
+ cookie.setMaxAge(scc.getMaxAge());
+ cookie.setComment(scc.getComment());
- if (domain == null) {
- // Avoid possible NPE
- if (scc.getDomain() != null) {
- cookie.setDomain(scc.getDomain());
- }
- } else {
- cookie.setDomain(domain);
- }
-
- // Always set secure if the request is secure
- if (scc.isSecure() || secure) {
- cookie.setSecure(true);
- }
-
- // Always set httpOnly if the context is configured for that
- if (scc.isHttpOnly() || httpOnly) {
- cookie.setHttpOnly(true);
- }
+ if (context.getSessionCookieDomain() == null) {
+ // Avoid possible NPE
+ if (scc.getDomain() != null) {
+ cookie.setDomain(scc.getDomain());
+ }
+ } else {
+ cookie.setDomain(context.getSessionCookieDomain());
+ }
+
+ // Always set secure if the request is secure
+ if (scc.isSecure() || secure) {
+ cookie.setSecure(true);
+ }
+
+ // Always set httpOnly if the context is configured for that
+ if (scc.isHttpOnly() || context.getUseHttpOnly()) {
+ cookie.setHttpOnly(true);
+ }
- // Don't set the path if the connector is configured to over-ride
- if (!emptyPath && scc.getPath() != null) {
- cookie.setPath(scc.getPath());
- } else {
- if (!emptyPath && contextPath != null && (contextPath.length() >
0)) {
- cookie.setPath(contextPath);
- } else {
- cookie.setPath("/");
- }
- }
- return cookie;
- }
-
-
+ String contextPath = context.getSessionCookiePath();
+ if (contextPath == null || contextPath.length() == 0) {
+ contextPath = scc.getPath();
+ }
+ if (contextPath == null || contextPath.length() == 0) {
+ contextPath = context.getEncodedPath();
+ }
+ cookie.setPath(contextPath);
+
+ return cookie;
+ }
}
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Wed Mar 10
13:56:28 2010
@@ -731,6 +731,13 @@ public class StandardContext
/**
+ * The path to use for session cookies. <code>null</code> indicates that
+ * the path is controlled by the application.
+ */
+ private String sessionCookiePath;
+
+
+ /**
* The Jar scanner to use to search for Jars that might contain
* configuration information such as TLDs or web-fragment.xml files.
*/
@@ -1308,6 +1315,32 @@ public class StandardContext
/**
+ * Gets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath() {
+ return sessionCookiePath;
+ }
+
+
+ /**
+ * Sets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath) {
+ String oldSessionCookiePath = this.sessionCookiePath;
+ this.sessionCookiePath = sessionCookiePath;
+ support.firePropertyChange("sessionCookiePath",
+ oldSessionCookiePath, sessionCookiePath);
+ }
+
+
+ /**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext() {
Modified: tomcat/trunk/webapps/docs/config/ajp.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/ajp.xml (original)
+++ tomcat/trunk/webapps/docs/config/ajp.xml Wed Mar 10 13:56:28 2010
@@ -79,13 +79,6 @@
HTTP method. If not specified, this attribute is set to false.</p>
</attribute>
- <attribute name="emptySessionPath" required="false">
- <p>If set to <code>true</code>, all paths for session cookies will be set
- to <code>/</code>. This can be useful for portlet specification
- implementations. If not specified, this attribute is set to
- <code>false</code>.</p>
- </attribute>
-
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
Modified: tomcat/trunk/webapps/docs/config/context.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/context.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/trunk/webapps/docs/config/context.xml Wed Mar 10 13:56:28 2010
@@ -244,6 +244,17 @@
used.</p>
</attribute>
+ <attribute name="sessionCookiePath" required="false">
+ <p>The path to be used for all session cookies created for this
+ context. If set, this overrides any path set by the web application.
+ If not set, the value specified by the web application will be used, or
+ the context path used if the web application does not explicitly set
+ one. To configure all web application to use an empty path (this can be
+ useful for portlet specification implementations) set this attribute to
+ <code>/</code> in the global
<code>CATALINA_BASE/conf/context.xml</code>
+ file.</p>
+ </attribute>
+
<attribute name="wrapperClass" required="false">
<p>Java class name of the <code>org.apache.catalina.Wrapper</code>
implementation class that will be used for servlets managed by this
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 10 13:56:28 2010
@@ -79,13 +79,6 @@
HTTP method. If not specified, this attribute is set to false.</p>
</attribute>
- <attribute name="emptySessionPath" required="false">
- <p>If set to <code>true</code>, all paths for session cookies will be set
- to <code>/</code>. This can be useful for portlet specification
- implementations. If not specified, this attribute is set to
- <code>false</code>.</p>
- </attribute>
-
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
