cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincenzo Vitale <vincenzo.vit...@gmail.com>
Subject Re: Access to HTTP cookie values in Interceptor or Invoker implementation?
Date Mon, 18 Jan 2010 15:19:24 GMT
Only one value:

user_token_w=vincenzo.vitale@gmail.com
|1295450533|d91I1lzvMwON0RHsSCCMLA==|tzeO3oQSbDxU3Qr86v9sIigVNy3mhx
wlBNPt3bqEr3g=; user_logged_in=true


I'll try the other changes later.


thanks,
V.

On Mon, Jan 18, 2010 at 3:58 PM, Sergey Beryozkin <sberyozk@progress.com>wrote:

> Hi
>
>
>  We use something like this:
>>
>> response.addHeader("Set-Cookie",
>> "user_token_w=rotterdam@tomtomtest.com
>> |1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
>> path=/; httpOnly");
>>
>> called different times with different names (and also a secure only
>> cookie)
>> since we also need the httpOnly flag to be set thus it's not possible to
>> use
>> the normal javax. sevlet.http.Cookie class.
>>
>
> But this is a Set-Cookie header, not a Cookie header ? by the way, there is
> a JAX-RS NewCookie utility class that might be used instead...Actually, I
> see, you're probably using HttpServletResponse directly...
>
>
>
>> Tampering the request we see that the header value is :
>> Set-Cookie=user_token_w=rotterdam@tomtomtest.com
>> |1295442881|laFf9MAZUTc7rvJqhq54rQ==|CX7PgJK0P4zEywRtG9ix+L98jTfILumYrPKYZ4luxfc=;
>> path=/; httpOnly
>> user_logged_in=true; path=/
>> user_token_s=rotterdam@tomtomtest.com
>> |1263863681|+jZzblDmjCo1wWFZOdxRaQ==|3r1WMPuUk2ghrvl+3RmcIPLjueD8fjBYPnbBN/s+3j0=;
>> path=/; httpOnly; Secure
>>
>> where the carriage return seems to be used aas separator.
>>
>
> AFAIK it is something (the carriage return) that is kind of an
> internal/on-the-wire detail only and it is used for the readability
> purposes, when the header value is too long. According to [2], the older
> state management rfc, "the Set-Cookie response header comprises the token
> Set-Cookie:, followed by a *comma-separated* list of one or more cookies."
>
>
>
>> To get the values I used this code:
>>
> I see...After your server replies with Set-Cookie, the code below is used
> to retrieve the original cookies sent back by a client...
>
>
>              String cookieHeaderString =
>>                   new org.apache.cxf.jaxrs.impl.MetadataMap<String,
>> String>(
>>                           (Map<String, List<String>>) m
>>                                   .get(Message.PROTOCOL_HEADERS))
>>                           .getFirst("Cookie");
>>           // XXX: In some systems instead of Cookie, cookie must be used.
>>           if (cookieHeaderString == null) {
>>               cookieHeaderString =
>>                       new org.apache.cxf.jaxrs.impl.MetadataMap<String,
>> String>(
>>                               (Map<String, List<String>>) m
>>                                       .get(Message.PROTOCOL_HEADERS))
>>                               .getFirst("cookie");
>>           }
>>
>> the double call is because in linux+jboss+firefox instead of 'Cookie',
>> 'cookie' is used.
>>
>
> Note that HttpHeaders is using a case-insensitive MetadataMap as required
> by JAX-RS, you can do the same by doing new
> org.apache.cxf.jaxrs.impl.MetadataMap(map, true, true);
>
>
>
>> changing the ; to ' when settinh the header value doesn't change the
>> behaviour.
>>
>
> I meant that the Cookie header string should contain a ',' as a separator
> between multiple values. Given that HttpServletResponse does not add a ','
> between different Set-Cookie values when you do multiple SetCookie on it, no
> ',' is present in the client request either. Can you confirm once again
> please no ',' is available in a Cookie value ? [1] also says :
>
>
>  the call to:
>> Map<String, Cookie> cookies = headers.getCookies();
>> alwasy returns only a cookie (the user_logged_in one).
>>
>
> Can you please do the following :
>
> for (String value : message.get(Message.PROTOCOL_HEADERS).get("Cookie")) {
>
> System.out.println(value);
>
> }
>
> will you get a single value containing something like
>
> "user_token_w=amsterdam@vicio.com
> |1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;
> user_logged_in=true"
>
> or two values, one is
>
>
> "user_token_w=amsterdam@vicio.com
> |1295428834|7mMx6SxeIeSaWhygsOsAyA==|Iy/1xl/kOwderfdsdhAg/ip1Qsb0dwerQOJ8zDYJ34=;"
>
> and the other one is :
>
> "user_logged_in=true"
>
> ?
>
> That is, I'd like to check if the underlying container sees the Cookie
> headers containing a single value or two values.
>
> perhaps, rather than doing multiple response.addHeader("SetCookie", value),
> you can instead build a SetCookie string containing of multiple values
> separated by ',' and then do response.addHeader("SetCookie", value) just
> once ?
>
> The problem is that I do not see neither in Http 1.1 [2] or [1] that a
> 'next line' can be used as a separator between multiple Cookie values.
> Perhaps the multi-line string should be just folded back, due to the fact a
> CRLF or LWS [2] have been used to separate multiple words ?
>
> I guess what I can try to do is to let users to explcitly configure a
> jaxrs:server endpoint with a property like
> "org.apache.cxf.http.cookie.separator=crlf" ? First though, let me know if
> you can update the server code as suggested above, for ',' being used as a
> separator
>
> thanks, Sergey
>
>
>>
>>
>> Cheers,
>> V.
>>
>
> [1] http://tools.ietf.org/html/rfc2109
> [2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message