You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2021/05/11 19:39:17 UTC
[httpcomponents-client] 04/05: HTTPCLIENT-2139 - Cookie Header
HttpOnly attribute
This is an automated email from the ASF dual-hosted git repository.
olegk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/httpcomponents-client.git
commit 9b01bf6336034aad48b33f8f5a70445622a34958
Author: Arturo Bernal <ar...@gmail.com>
AuthorDate: Sun Mar 14 17:44:29 2021 +0100
HTTPCLIENT-2139 - Cookie Header HttpOnly attribute
---
.../org/apache/hc/client5/http/cookie/Cookie.java | 14 ++++++++
.../apache/hc/client5/http/cookie/SetCookie.java | 11 +++++++
.../http/impl/cookie/BasicClientCookie.java | 26 +++++++++++++++
...C6265LaxSpec.java => BasicHttpOnlyHandler.java} | 38 ++++++++++------------
.../http/impl/cookie/RFC6265CookieSpecFactory.java | 2 ++
.../client5/http/impl/cookie/RFC6265LaxSpec.java | 1 +
.../http/impl/cookie/RFC6265StrictSpec.java | 1 +
.../impl/cookie/TestBasicCookieAttribHandlers.java | 9 +++++
8 files changed, 82 insertions(+), 20 deletions(-)
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/Cookie.java b/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/Cookie.java
index 4a8ac10..e2ee347 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/Cookie.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/Cookie.java
@@ -44,6 +44,7 @@ public interface Cookie {
String MAX_AGE_ATTR = "max-age";
String SECURE_ATTR = "secure";
String EXPIRES_ATTR = "expires";
+ String HTTP_ONLY_ATTR = "httpOnly";
/**
* @since 5.0
@@ -126,5 +127,18 @@ public interface Cookie {
*/
Date getCreationDate();
+ /**
+ * Checks whether this Cookie has been marked as {@code httpOnly}.
+ * <p>The default implementation returns {@code false}.
+ *
+ * @return true if this Cookie has been marked as {@code httpOnly},
+ * false otherwise
+ *
+ * @since 5.2
+ */
+ default boolean isHttpOnly(){
+ return false;
+ }
+
}
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/SetCookie.java b/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/SetCookie.java
index 620006a..546476a 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/SetCookie.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/cookie/SetCookie.java
@@ -85,5 +85,16 @@ public interface SetCookie extends Cookie {
*/
void setSecure (boolean secure);
+ /**
+ * Marks or unmarks this Cookie as {@code httpOnly}.
+ *
+ * @param httpOnly true if this cookie is to be marked as
+ * {@code httpOnly}, false otherwise
+ *
+ * @since 5.2
+ */
+ default void setHttpOnly (final boolean httpOnly){
+ }
+
}
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicClientCookie.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicClientCookie.java
index 62fb233..e2cf88f 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicClientCookie.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicClientCookie.java
@@ -216,6 +216,19 @@ public final class BasicClientCookie implements SetCookie, Cloneable, Serializab
}
/**
+ * Sets the http-only attribute of the cookie.
+ *
+ * @param httpOnly true if this cookie is to be marked as
+ * {@code httpOnly}, false otherwise
+ *
+ * @since 5.2
+ */
+ @Override
+ public void setHttpOnly(final boolean httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+ /**
* Returns true if this cookie has expired.
* @param date Current time
*
@@ -237,6 +250,16 @@ public final class BasicClientCookie implements SetCookie, Cloneable, Serializab
}
/**
+ * @return true if this Cookie has been marked as {@code httpOnly}, false otherwise
+ * @see #setHttpOnly(boolean)
+ * @since 5.2
+ */
+ @Override
+ public boolean isHttpOnly() {
+ return httpOnly;
+ }
+
+ /**
* @since 4.4
*/
public void setCreationDate(final Date creationDate) {
@@ -317,5 +340,8 @@ public final class BasicClientCookie implements SetCookie, Cloneable, Serializab
private Date creationDate;
+ /** The {@code httpOnly} flag. */
+ private boolean httpOnly;
+
}
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicHttpOnlyHandler.java
similarity index 63%
copy from httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java
copy to httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicHttpOnlyHandler.java
index 56fed12..a52f733 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/BasicHttpOnlyHandler.java
@@ -24,39 +24,37 @@
* <http://www.apache.org/>.
*
*/
-
package org.apache.hc.client5.http.impl.cookie;
import org.apache.hc.client5.http.cookie.CommonCookieAttributeHandler;
+import org.apache.hc.client5.http.cookie.Cookie;
+import org.apache.hc.client5.http.cookie.MalformedCookieException;
+import org.apache.hc.client5.http.cookie.SetCookie;
import org.apache.hc.core5.annotation.Contract;
import org.apache.hc.core5.annotation.ThreadingBehavior;
+import org.apache.hc.core5.util.Args;
/**
- * Standard {@link org.apache.hc.client5.http.cookie.CookieSpec} implementation that enforces
- * a more relaxed interpretation of the HTTP state management specification (RFC 6265, section 5)
- * for interoperability with existing servers that do not conform to the well behaved profile
- * (RFC 6265, section 4).
+ * Cookie {@code HttpOnly} attribute handler.
*
- * @since 4.4
+ * @since 5.2
*/
-@Contract(threading = ThreadingBehavior.SAFE)
-public class RFC6265LaxSpec extends RFC6265CookieSpecBase {
+@Contract(threading = ThreadingBehavior.STATELESS)
+public class BasicHttpOnlyHandler extends AbstractCookieAttributeHandler implements CommonCookieAttributeHandler {
- public RFC6265LaxSpec() {
- super(new BasicPathHandler(),
- new BasicDomainHandler(),
- new LaxMaxAgeHandler(),
- new BasicSecureHandler(),
- new LaxExpiresHandler());
+ public BasicHttpOnlyHandler() {
+ super();
}
- RFC6265LaxSpec(final CommonCookieAttributeHandler... handlers) {
- super(handlers);
+ @Override
+ public void parse(final SetCookie cookie, final String value)
+ throws MalformedCookieException {
+ Args.notNull(cookie, "Cookie");
+ cookie.setHttpOnly(true);
}
-
@Override
- public String toString() {
- return "rfc6265-lax";
+ public String getAttributeName() {
+ return Cookie.HTTP_ONLY_ATTR;
}
-}
+}
\ No newline at end of file
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265CookieSpecFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265CookieSpecFactory.java
index 1399409..e213aaa 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265CookieSpecFactory.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265CookieSpecFactory.java
@@ -87,6 +87,7 @@ public class RFC6265CookieSpecFactory implements CookieSpecFactory {
new BasicDomainHandler(), this.publicSuffixMatcher),
new BasicMaxAgeHandler(),
new BasicSecureHandler(),
+ new BasicHttpOnlyHandler(),
new BasicExpiresHandler(RFC6265StrictSpec.DATE_PATTERNS));
break;
case IE_MEDIUM_SECURITY:
@@ -103,6 +104,7 @@ public class RFC6265CookieSpecFactory implements CookieSpecFactory {
new BasicDomainHandler(), this.publicSuffixMatcher),
new BasicMaxAgeHandler(),
new BasicSecureHandler(),
+ new BasicHttpOnlyHandler(),
new BasicExpiresHandler(RFC6265StrictSpec.DATE_PATTERNS));
break;
default:
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java
index 56fed12..0684f14 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265LaxSpec.java
@@ -47,6 +47,7 @@ public class RFC6265LaxSpec extends RFC6265CookieSpecBase {
new BasicDomainHandler(),
new LaxMaxAgeHandler(),
new BasicSecureHandler(),
+ new BasicHttpOnlyHandler(),
new LaxExpiresHandler());
}
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265StrictSpec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265StrictSpec.java
index 22ec3e0..262fb95 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265StrictSpec.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/cookie/RFC6265StrictSpec.java
@@ -53,6 +53,7 @@ public class RFC6265StrictSpec extends RFC6265CookieSpecBase {
new BasicDomainHandler(),
new BasicMaxAgeHandler(),
new BasicSecureHandler(),
+ new BasicHttpOnlyHandler(),
new BasicExpiresHandler(DATE_PATTERNS));
}
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java
index b10fbe9..e78e1c4 100644
--- a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/cookie/TestBasicCookieAttribHandlers.java
@@ -501,5 +501,14 @@ public class TestBasicCookieAttribHandlers {
cookie.setAttribute(Cookie.DOMAIN_ATTR, "localhost");
Assert.assertTrue(h.match(cookie, new CookieOrigin("localhost", 80, "/stuff", false)));
}
+ @Test
+ public void testBasicHttpOnlyParse() throws Exception {
+ final BasicClientCookie cookie = new BasicClientCookie("name", "value");
+ final CookieAttributeHandler h = new BasicHttpOnlyHandler();
+ h.parse(cookie, "true");
+ Assert.assertTrue(cookie.isHttpOnly());
+ h.parse(cookie, "anyone");
+ Assert.assertTrue(cookie.isHttpOnly());
+ }
}