You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@unomi.apache.org by jk...@apache.org on 2022/01/04 10:45:47 UTC

[unomi] branch handleProfileCookieHttpOnlySecure created (now 7d8a6f6)

This is an automated email from the ASF dual-hosted git repository.

jkevan pushed a change to branch handleProfileCookieHttpOnlySecure
in repository https://gitbox.apache.org/repos/asf/unomi.git.


      at 7d8a6f6  UNOMI-541: handle HttpOnly and Secure option for the profileId cookie

This branch includes the following new commits:

     new 7d8a6f6  UNOMI-541: handle HttpOnly and Secure option for the profileId cookie

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[unomi] 01/01: UNOMI-541: handle HttpOnly and Secure option for the profileId cookie

Posted by jk...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jkevan pushed a commit to branch handleProfileCookieHttpOnlySecure
in repository https://gitbox.apache.org/repos/asf/unomi.git

commit 7d8a6f6f3464648f7c5367eea787946fb1339690
Author: Kevan <ke...@jahia.com>
AuthorDate: Tue Jan 4 11:45:31 2022 +0100

    UNOMI-541: handle HttpOnly and Secure option for the profileId cookie
---
 package/src/main/resources/etc/custom.system.properties           | 2 ++
 .../java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java | 2 +-
 rest/src/main/java/org/apache/unomi/utils/HttpUtils.java          | 7 +++++--
 wab/src/main/java/org/apache/unomi/web/ContextServlet.java        | 8 +++++++-
 wab/src/main/resources/OSGI-INF/blueprint/blueprint.xml           | 2 ++
 wab/src/main/resources/org.apache.unomi.web.cfg                   | 2 ++
 6 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/package/src/main/resources/etc/custom.system.properties b/package/src/main/resources/etc/custom.system.properties
index 01a9f38..fbb3a4d 100644
--- a/package/src/main/resources/etc/custom.system.properties
+++ b/package/src/main/resources/etc/custom.system.properties
@@ -207,6 +207,8 @@ org.apache.unomi.profile.cookie.domain=${env:UNOMI_PROFILE_COOKIE_DOMAIN:-}
 org.apache.unomi.profile.cookie.name=${env:UNOMI_PROFILE_COOKIE_NAME:-context-profile-id}
 # This setting controls the maximum age of the profile cookie. By default it is set to a year.
 org.apache.unomi.profile.cookie.maxAgeInSeconds=${env:UNOMI_PROFILE_COOKIE_MAXAGEINSECONDS:-31536000}
+# This setting controls if the cookie should be flagged as HttpOnly or not.
+org.apache.unomi.profile.cookie.httpOnly=${env:UNOMI_PROFILE_COOKIE_HTTPONLY:-false}
 #Allowed profile download formats, actually only csv (horizontal and vertical), json, text and yaml are allowed.
 org.apache.unomi.profile.download.formats=${env:UNOMI_PROFILE_DOWNLOAD_FORMATS:-csv,yaml,json,text}
 # This setting allow for request size (Content-length) protection. Checking that the requests do not exceed the limit.
diff --git a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
index 3184e60..7780c7a 100644
--- a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
+++ b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
@@ -344,7 +344,7 @@ public class ContextJsonEndpoint {
         }
         // Set profile cookie
         if (!(profile instanceof Persona)) {
-            response.setHeader("Set-Cookie", HttpUtils.getProfileCookieString(profile, configSharingService));
+            response.setHeader("Set-Cookie", HttpUtils.getProfileCookieString(profile, configSharingService, request.isSecure()));
         }
         return contextResponse;
     }
diff --git a/rest/src/main/java/org/apache/unomi/utils/HttpUtils.java b/rest/src/main/java/org/apache/unomi/utils/HttpUtils.java
index c3fab07..678f3f0 100644
--- a/rest/src/main/java/org/apache/unomi/utils/HttpUtils.java
+++ b/rest/src/main/java/org/apache/unomi/utils/HttpUtils.java
@@ -91,14 +91,17 @@ public class HttpUtils {
      * @param configSharingService shared config location.
      * @return the cookie string to set in the header.
      */
-    public static String getProfileCookieString(Profile profile, ConfigSharingService configSharingService) {
+    public static String getProfileCookieString(Profile profile, ConfigSharingService configSharingService, boolean isSecure) {
         final String profileIdCookieDomain = (String) configSharingService.getProperty("profileIdCookieDomain");
         final String profileIdCookieName = (String) configSharingService.getProperty("profileIdCookieName");
         final Integer profileIdCookieMaxAgeInSeconds = (Integer) configSharingService.getProperty("profileIdCookieMaxAgeInSeconds") ;
+        final Boolean profileIdCookieHttpOnly = (Boolean) configSharingService.getProperty("profileIdCookieHttpOnly");
         return profileIdCookieName + "=" + profile.getItemId() +
                 "; Path=/" +
                 "; Max-Age=" + profileIdCookieMaxAgeInSeconds +
                 (StringUtils.isNotBlank(profileIdCookieDomain) ? ("; Domain=" + profileIdCookieDomain) : "")  +
-                "; SameSite=Lax";
+                "; SameSite=Lax" +
+                (isSecure ? "; Secure" : "") +
+                (profileIdCookieHttpOnly ? "; HttpOnly" : "");
     }
 }
diff --git a/wab/src/main/java/org/apache/unomi/web/ContextServlet.java b/wab/src/main/java/org/apache/unomi/web/ContextServlet.java
index e83cf3f..bb28ac1 100644
--- a/wab/src/main/java/org/apache/unomi/web/ContextServlet.java
+++ b/wab/src/main/java/org/apache/unomi/web/ContextServlet.java
@@ -42,6 +42,7 @@ public class ContextServlet extends HttpServlet {
     private String profileIdCookieName = "context-profile-id";
     private String profileIdCookieDomain;
     private int profileIdCookieMaxAgeInSeconds = MAX_COOKIE_AGE_IN_SECONDS;
+    private boolean profileIdCookieHttpOnly = false;
     private int publicPostRequestBytesLimit = 200000;
 
     private ConfigSharingService configSharingService;
@@ -51,7 +52,8 @@ public class ContextServlet extends HttpServlet {
         super.init(config);
         configSharingService.setProperty("profileIdCookieName", profileIdCookieName);
         configSharingService.setProperty("profileIdCookieDomain", profileIdCookieDomain);
-        configSharingService.setProperty("profileIdCookieMaxAgeInSeconds", (Integer) profileIdCookieMaxAgeInSeconds);
+        configSharingService.setProperty("profileIdCookieMaxAgeInSeconds", profileIdCookieMaxAgeInSeconds);
+        configSharingService.setProperty("profileIdCookieHttpOnly", profileIdCookieHttpOnly);
         configSharingService.setProperty("publicPostRequestBytesLimit", publicPostRequestBytesLimit);
         logger.info("ContextServlet initialized.");
     }
@@ -78,6 +80,10 @@ public class ContextServlet extends HttpServlet {
         this.profileIdCookieMaxAgeInSeconds = profileIdCookieMaxAgeInSeconds;
     }
 
+    public void setProfileIdCookieHttpOnly(boolean profileIdCookieHttpOnly) {
+        this.profileIdCookieHttpOnly = profileIdCookieHttpOnly;
+    }
+
     public void setPublicPostRequestBytesLimit(int publicPostRequestBytesLimit) {
         this.publicPostRequestBytesLimit = publicPostRequestBytesLimit;
     }
diff --git a/wab/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/wab/src/main/resources/OSGI-INF/blueprint/blueprint.xml
index d06d5e0..5437e3b 100644
--- a/wab/src/main/resources/OSGI-INF/blueprint/blueprint.xml
+++ b/wab/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -35,6 +35,7 @@
             <cm:property name="contextserver.domain" value=""/>
             <cm:property name="contextserver.profileIdCookieName" value="context-profile-id"/>
             <cm:property name="contextserver.profileIdCookieMaxAgeInSeconds" value="31536000"/> <!-- 1 year by default -->
+            <cm:property name="contextserver.profileIdCookieHttpOnly" value="false"/> <!-- 1 year by default -->
             <cm:property name="allowed.profile.download.formats" value="yaml"/>
             <cm:property name="public.post.request.bytes.limit" value="200000"/>
         </cm:default-properties>
@@ -46,6 +47,7 @@
         <property name="profileIdCookieDomain" value="${web.contextserver.domain}" />
         <property name="profileIdCookieName" value="${web.contextserver.profileIdCookieName}"/>
         <property name="profileIdCookieMaxAgeInSeconds" value="${web.contextserver.profileIdCookieMaxAgeInSeconds}"/>
+        <property name="profileIdCookieHttpOnly" value="${web.contextserver.profileIdCookieHttpOnly}"/>
         <property name="publicPostRequestBytesLimit" value="${web.public.post.request.bytes.limit}"/>
     </bean>
 
diff --git a/wab/src/main/resources/org.apache.unomi.web.cfg b/wab/src/main/resources/org.apache.unomi.web.cfg
index 5167916..eb48851 100644
--- a/wab/src/main/resources/org.apache.unomi.web.cfg
+++ b/wab/src/main/resources/org.apache.unomi.web.cfg
@@ -22,6 +22,8 @@ contextserver.domain=${org.apache.unomi.profile.cookie.domain:-}
 contextserver.profileIdCookieName=${org.apache.unomi.profile.cookie.name:-context-profile-id}
 # This setting controls the maximum age of the profile cookie. By default it is set to a year.
 contextserver.profileIdCookieMaxAgeInSeconds=${org.apache.unomi.profile.cookie.maxAgeInSeconds:-31536000}
+# This setting controls if the cookie should be flagged as HttpOnly or not.
+contextserver.profileIdCookieHttpOnly=${org.apache.unomi.profile.cookie.httpOnly:-false}
 #Allowed profile download formats, actually only csv (horizontal and vertical), json, text and yaml are allowed.
 allowed.profile.download.formats=${org.apache.unomi.profile.download.formats:-csv,yaml,json,text}
 # This setting allow for request size (Content-length) protection. Checking that the requests do not exceed the limit.