tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r921352 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/core/ webapps/docs/config/
Date Wed, 10 Mar 2010 13:56:29 GMT
Author: markt
Date: Wed Mar 10 13:56:28 2010
New Revision: 921352

URL: http://svn.apache.org/viewvc?rev=921352&view=rev
Log:
Partial fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
Allow session cookie path to be configured per context
With this option, the servlet 3 options and Connector.emptySessionPath there were just too
many places this was being configured so the Connector option has been removed for Tomcat
7.

Modified:
    tomcat/trunk/java/org/apache/catalina/Context.java
    tomcat/trunk/java/org/apache/catalina/connector/Connector.java
    tomcat/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
    tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
    tomcat/trunk/webapps/docs/config/ajp.xml
    tomcat/trunk/webapps/docs/config/context.xml
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Wed Mar 10 13:56:28 2010
@@ -211,13 +211,32 @@ public interface Context extends Contain
      * @param sessionCookieDomain   The domain to use
      */
     public void setSessionCookieDomain(String sessionCookieDomain);
+
+    
+    /**
+     * Gets the path to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @return  The value of the default session cookie path or null if not
+     *          specified
+     */
+    public String getSessionCookiePath();
+    
+    
+    /**
+     * Sets the path to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @param sessionCookiePath   The path to use
+     */
+    public void setSessionCookiePath(String sessionCookiePath);
+
     
     /**
      * Return the "allow crossing servlet contexts" flag.
      */
     public boolean getCrossContext();
 
-
     
     /**
      * Return the alternate Deployment Descriptor name.

Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Wed Mar 10 13:56:28 2010
@@ -105,12 +105,6 @@ public class Connector extends Lifecycle
 
 
     /**
-     * Use "/" as path for session cookies ?
-     */
-    protected boolean emptySessionPath = false;
-
-
-    /**
      * The "enable DNS lookups" flag for this Connector.
      */
     protected boolean enableLookups = false;
@@ -398,29 +392,6 @@ public class Connector extends Lifecycle
 
 
     /**
-     * Return the "empty session path" flag.
-     */
-    public boolean getEmptySessionPath() {
-
-        return (this.emptySessionPath);
-
-    }
-
-
-    /**
-     * Set the "empty session path" flag.
-     *
-     * @param emptySessionPath The new "empty session path" flag value
-     */
-    public void setEmptySessionPath(boolean emptySessionPath) {
-
-        this.emptySessionPath = emptySessionPath;
-        setProperty("emptySessionPath", String.valueOf(emptySessionPath));
-
-    }
-
-
-    /**
      * Return the "enable DNS lookups" flag.
      */
     public boolean getEnableLookups() {

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Mar 10 13:56:28 2010
@@ -2273,14 +2273,8 @@ public class Request
         
         if (response != null) {
             Cookie newCookie =
-                ApplicationSessionCookieConfig.createSessionCookie(
-                        context.getServletContext().getSessionCookieConfig(),
-                        newSessionId,
-                        secure,
-                        context.getUseHttpOnly(),
-                        response.getConnector().getEmptySessionPath(),
-                        context.getEncodedPath(),
-                        context.getSessionCookieDomain());
+                ApplicationSessionCookieConfig.createSessionCookie(context,
+                        newSessionId, secure);
             response.addCookie(newCookie);
         }
     }
@@ -2542,7 +2536,7 @@ public class Request
         // Do not reuse the session id if it is from a URL, to prevent possible
         // phishing attacks
         // Use the SSL session ID if one is present. 
-        if ((connector.getEmptySessionPath() 
+        if (("/".equals(context.getSessionCookiePath()) 
                 && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
             session = manager.createSession(getRequestedSessionId());
         } else {
@@ -2556,13 +2550,7 @@ public class Request
                                SessionTrackingMode.COOKIE)) {
             Cookie cookie =
                 ApplicationSessionCookieConfig.createSessionCookie(
-                        context.getServletContext().getSessionCookieConfig(),
-                        session.getIdInternal(),
-                        isSecure(),
-                        context.getUseHttpOnly(),
-                        connector.getEmptySessionPath(),
-                        context.getEncodedPath(),
-                        context.getSessionCookieDomain());
+                        context, session.getIdInternal(), isSecure());
             
             response.addCookieInternal(cookie);
         }

Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java Wed Mar
10 13:56:28 2010
@@ -20,6 +20,7 @@ package org.apache.catalina.core;
 import javax.servlet.SessionCookieConfig;
 import javax.servlet.http.Cookie;
 
+import org.apache.catalina.Context;
 import org.apache.catalina.Globals;
 
 public class ApplicationSessionCookieConfig implements SessionCookieConfig {
@@ -105,62 +106,60 @@ public class ApplicationSessionCookieCon
     /**
      * Creates a new session cookie for the given session ID
      *
-     * @param scc         The default session cookie configuration
+     * @param conetxt     The Context for the web application
      * @param sessionId   The ID of the session for which the cookie will be
      *                    created
      * @param secure      Should session cookie be configured as secure
-     * @param httpOnly    Should session cookie be configured as httpOnly
-     * @param emptyPath   Should session cookie be configured with empty path
-     * @param contextPath Context path to use if required       
-     * @param domain      Domain to use for the session cookie. If null, use the
-     *                    domain specified by the scc parameter.
      */
-    public static Cookie createSessionCookie(SessionCookieConfig scc,
-            String sessionId, boolean secure, boolean httpOnly,
-            boolean emptyPath, String contextPath, String domain) {
-
-       // Session config can over-ride default name  
-       String cookieName = scc.getName();
-       if (cookieName == null) {
-           cookieName = Globals.SESSION_COOKIE_NAME;
-       }
-       Cookie cookie = new Cookie(cookieName, sessionId);
+    public static Cookie createSessionCookie(Context context,
+            String sessionId, boolean secure) {
+
+        SessionCookieConfig scc =
+            context.getServletContext().getSessionCookieConfig();
+
+        // NOTE: The priority order for session cookie configuration is:
+        //       1. Context level configuration
+        //       2. Values from SessionCookieConfig
+        //       3. Defaults
+
+        String cookieName = scc.getName();
+        if (cookieName == null) {
+            cookieName = Globals.SESSION_COOKIE_NAME;
+        }
+        Cookie cookie = new Cookie(cookieName, sessionId);
        
-       // Just apply the defaults.
-       cookie.setMaxAge(scc.getMaxAge());
-       cookie.setComment(scc.getComment());
+        // Just apply the defaults.
+        cookie.setMaxAge(scc.getMaxAge());
+        cookie.setComment(scc.getComment());
        
-       if (domain == null) {
-           // Avoid possible NPE
-           if (scc.getDomain() != null) {
-               cookie.setDomain(scc.getDomain());
-           }
-       } else {
-           cookie.setDomain(domain);
-       }
-
-       // Always set secure if the request is secure
-       if (scc.isSecure() || secure) {
-           cookie.setSecure(true);
-       }
-
-       // Always set httpOnly if the context is configured for that
-       if (scc.isHttpOnly() || httpOnly) {
-           cookie.setHttpOnly(true);
-       }
+        if (context.getSessionCookieDomain() == null) {
+            // Avoid possible NPE
+            if (scc.getDomain() != null) {
+                cookie.setDomain(scc.getDomain());
+            }
+        } else {
+            cookie.setDomain(context.getSessionCookieDomain());
+        }
+
+        // Always set secure if the request is secure
+        if (scc.isSecure() || secure) {
+            cookie.setSecure(true);
+        }
+
+        // Always set httpOnly if the context is configured for that
+        if (scc.isHttpOnly() || context.getUseHttpOnly()) {
+            cookie.setHttpOnly(true);
+        }
        
-       // Don't set the path if the connector is configured to over-ride
-       if (!emptyPath && scc.getPath() != null) {
-           cookie.setPath(scc.getPath());
-       } else {
-           if (!emptyPath && contextPath != null && (contextPath.length()
> 0)) {
-               cookie.setPath(contextPath);
-           } else {
-               cookie.setPath("/");
-           }
-       }
-       return cookie;
-   }
-   
- 
+        String contextPath = context.getSessionCookiePath();
+        if (contextPath == null || contextPath.length() == 0) {
+            contextPath = scc.getPath();
+        }
+        if (contextPath == null || contextPath.length() == 0) {
+            contextPath = context.getEncodedPath();
+        }
+        cookie.setPath(contextPath);
+
+        return cookie;
+    }
 }

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Wed Mar 10 13:56:28 2010
@@ -731,6 +731,13 @@ public class StandardContext
     
     
     /**
+     * The path to use for session cookies. <code>null</code> indicates that
+     * the path is controlled by the application.
+     */
+    private String sessionCookiePath;
+    
+    
+    /**
      * The Jar scanner to use to search for Jars that might contain
      * configuration information such as TLDs or web-fragment.xml files. 
      */
@@ -1308,6 +1315,32 @@ public class StandardContext
     
 
     /**
+     * Gets the path to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @return  The value of the default session cookie path or null if not
+     *          specified
+     */
+    public String getSessionCookiePath() {
+        return sessionCookiePath;
+    }
+    
+    
+    /**
+     * Sets the path to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @param sessionCookiePath   The path to use
+     */
+    public void setSessionCookiePath(String sessionCookiePath) {
+        String oldSessionCookiePath = this.sessionCookiePath;
+        this.sessionCookiePath = sessionCookiePath;
+        support.firePropertyChange("sessionCookiePath",
+                oldSessionCookiePath, sessionCookiePath);
+    }
+    
+
+    /**
      * Return the "allow crossing servlet contexts" flag.
      */
     public boolean getCrossContext() {

Modified: tomcat/trunk/webapps/docs/config/ajp.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/ajp.xml (original)
+++ tomcat/trunk/webapps/docs/config/ajp.xml Wed Mar 10 13:56:28 2010
@@ -79,13 +79,6 @@
       HTTP method. If not specified, this attribute is set to false.</p>
     </attribute>
 
-    <attribute name="emptySessionPath" required="false">
-      <p>If set to <code>true</code>, all paths for session cookies will
be set
-      to <code>/</code>. This can be useful for portlet specification
-      implementations. If not specified, this attribute is set to
-      <code>false</code>.</p>
-    </attribute>
-
     <attribute name="enableLookups" required="false">
       <p>Set to <code>true</code> if you want calls to
       <code>request.getRemoteHost()</code> to perform DNS lookups in

Modified: tomcat/trunk/webapps/docs/config/context.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/context.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/trunk/webapps/docs/config/context.xml Wed Mar 10 13:56:28 2010
@@ -244,6 +244,17 @@
         used.</p>
       </attribute>
       
+      <attribute name="sessionCookiePath" required="false">
+        <p>The path to be used for all session cookies created for this
+        context. If set, this overrides any path set by the web application.
+        If not set, the value specified by the web application will be used, or
+        the context path used if the web application does not explicitly set
+        one. To configure all web application to use an empty path (this can be
+        useful for portlet specification implementations) set this attribute to
+        <code>/</code> in the global <code>CATALINA_BASE/conf/context.xml</code>
+        file.</p>
+      </attribute>
+      
       <attribute name="wrapperClass" required="false">
         <p>Java class name of the <code>org.apache.catalina.Wrapper</code>
         implementation class that will be used for servlets managed by this

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=921352&r1=921351&r2=921352&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 10 13:56:28 2010
@@ -79,13 +79,6 @@
       HTTP method. If not specified, this attribute is set to false.</p>
     </attribute>
 
-    <attribute name="emptySessionPath" required="false">
-      <p>If set to <code>true</code>, all paths for session cookies will
be set
-      to <code>/</code>. This can be useful for portlet specification
-      implementations. If not specified, this attribute is set to
-      <code>false</code>.</p>
-    </attribute>
-
     <attribute name="enableLookups" required="false">
       <p>Set to <code>true</code> if you want calls to
       <code>request.getRemoteHost()</code> to perform DNS lookups in



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message