You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2020/11/04 15:48:13 UTC
[shiro] 03/03: Disable jsessionid URL rewriting by default
This is an automated email from the ASF dual-hosted git repository.
bdemers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro.git
commit 5b1add9a4c4ed046b52cf2132ed0f264a22caf1d
Author: Brian Demers <bd...@apache.org>
AuthorDate: Tue Sep 29 17:59:29 2020 -0400
Disable jsessionid URL rewriting by default
This matches the default of the InvalidRequestFilter
Fixes: SHIRO-795
---
.../shiro/spring/web/config/AbstractShiroWebConfiguration.java | 2 +-
.../org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java | 2 +-
.../apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy | 5 ++++-
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
index 5ed98d8..fab145f 100644
--- a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
+++ b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
@@ -43,7 +43,7 @@ public class AbstractShiroWebConfiguration extends AbstractShiroConfiguration {
@Value("#{ @environment['shiro.sessionManager.sessionIdCookieEnabled'] ?: true }")
protected boolean sessionIdCookieEnabled;
- @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: true }")
+ @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: false }")
protected boolean sessionIdUrlRewritingEnabled;
@Value("#{ @environment['shiro.userNativeSessionManager'] ?: false }")
diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
index eb7eda1..9aa275a 100644
--- a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
+++ b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
@@ -58,7 +58,7 @@ public class DefaultWebSessionManager extends DefaultSessionManager implements W
cookie.setHttpOnly(true); //more secure, protects against XSS attacks
this.sessionIdCookie = cookie;
this.sessionIdCookieEnabled = true;
- this.sessionIdUrlRewritingEnabled = true;
+ this.sessionIdUrlRewritingEnabled = false;
}
public Cookie getSessionIdCookie() {
diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
index 841569f..35b3120 100644
--- a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
+++ b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
@@ -127,7 +127,7 @@ public class DefaultWebSessionManagerTest {
ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
- request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.TRUE);
+ request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.FALSE);
replay(cookie);
replay(request);
@@ -147,6 +147,7 @@ public class DefaultWebSessionManagerTest {
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
//we should not have any reads from the cookie fields - if we do, this test case will fail.
@@ -182,6 +183,7 @@ public class DefaultWebSessionManagerTest {
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
//we should not have any reads from the cookie fields - if we do, this test case will fail.
@@ -218,6 +220,7 @@ public class DefaultWebSessionManagerTest {
public void testGetSessionIdFromRequestUriPathSegmentParam() {
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
HttpServletRequest request = createMock(HttpServletRequest.class);
HttpServletResponse response = createMock(HttpServletResponse.class);