shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allan Ditzel (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-330) Refactor Cookie / Simple Cookie & Add Encrypted Cookie
Date Fri, 30 Sep 2011 19:27:45 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13118305#comment-13118305
] 

Allan Ditzel commented on SHIRO-330:
------------------------------------

The attached patch does not address the issue that certain browsers drop the base64 pad due
to it being a cookie delimeter. Therefore the code should perform logic similar to what the
current CookieRememberMeManager does to handle this truncation:

    protected byte[] getRememberedSerializedIdentity(SubjectContext subjectContext) {

        if (!WebUtils.isHttp(subjectContext)) {
            if (log.isDebugEnabled()) {
                String msg = "SubjectContext argument is not an HTTP-aware instance.  This
is required to obtain a " +
                        "servlet request and response in order to retrieve the rememberMe
cookie. Returning " +
                        "immediately and ignoring rememberMe operation.";
                log.debug(msg);
            }
            return null;
        }

        WebSubjectContext wsc = (WebSubjectContext) subjectContext;
        if (isIdentityRemoved(wsc)) {
            return null;
        }

        HttpServletRequest request = WebUtils.getHttpRequest(wsc);
        HttpServletResponse response = WebUtils.getHttpResponse(wsc);

        String base64 = getCookie().readValue(request, response);
        // Browsers do not always remove cookies immediately (SHIRO-183)
        // ignore cookies that are scheduled for removal
        if (Cookie.DELETED_COOKIE_VALUE.equals(base64)) return null;

        if (base64 != null) {
            base64 = ensurePadding(base64);
            if (log.isTraceEnabled()) {
                log.trace("Acquired Base64 encoded identity [" + base64 + "]");
            }
            byte[] decoded = Base64.decode(base64);
            if (log.isTraceEnabled()) {
                log.trace("Base64 decoded byte array length: " + (decoded != null ? decoded.length
: 0) + " bytes.");
            }
            return decoded;
        } else {
            //no cookie set - new site visitor?
            return null;
        }
    }

    /**
     * Sometimes a user agent will send the rememberMe cookie value without padding,
     * most likely because {@code =} is a separator in the cookie header.
     * <p/>
     * Contributed by Luis Arias.  Thanks Luis!
     *
     * @param base64 the base64 encoded String that may need to be padded
     * @return the base64 String padded if necessary.
     */
    private String ensurePadding(String base64) {
        int length = base64.length();
        if (length % 4 != 0) {
            StringBuilder sb = new StringBuilder(base64);
            for (int i = 0; i < length % 4; ++i) {
                sb.append('=');
            }
            base64 = sb.toString();
        }
        return base64;
    }
                
> Refactor Cookie / Simple Cookie & Add Encrypted Cookie 
> -------------------------------------------------------
>
>                 Key: SHIRO-330
>                 URL: https://issues.apache.org/jira/browse/SHIRO-330
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Web
>    Affects Versions: 1.2.0
>            Reporter: Allan Ditzel
>            Priority: Minor
>             Fix For: 1.3.0
>
>         Attachments: encrypted_cookie1.patch
>
>
> The current Cookie/SimpleCookie mechanism blends usage and creational concerns, i.e.
the cookie both holds state and is a factory, acting as a template to create new cookie instances.
These concerns should be separated. 
> In addition, it would be nice to have an encrypted cookie mechanism. Attached there is
a patch for an initial implementation of an encrypted cookie based on 1.2.0 code. It's been
added to capture the intent behind the cookie and to quickly patch the code base with this
functionality before refactoring in a future version.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message