You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@felix.apache.org by da...@apache.org on 2015/11/19 15:01:53 UTC
svn commit: r1715183 - in
/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal:
ConfigMetaTypeProvider.java JettyConfig.java JettyService.java
Author: davidb
Date: Thu Nov 19 14:01:52 2015
New Revision: 1715183
URL: http://svn.apache.org/viewvc?rev=1715183&view=rev
Log:
FELIX-5099 JSESSIONID Cookie in HTTPS Session Without 'Secure' and ‘HttpOnly’ Attributes
Applying patch on behalf of Antonio Sanso with many thanks!
Modified:
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java Thu Nov 19 14:01:52 2015
@@ -254,6 +254,18 @@ class ConfigMetaTypeProvider implements
"Whether TLS renegotiation is allowed (true by default)",
false,
bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RENEGOTIATION_ALLOWED)));
+
+ adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY,
+ "Session Cookie httpOnly",
+ "Session Cookie httpOnly (true by default)",
+ true,
+ bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY)));
+
+ adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE,
+ "Session Cookie secure",
+ "Session Cookie secure (false by default)",
+ false,
+ bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE)));
return new ObjectClassDefinition()
{
Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java Thu Nov 19 14:01:52 2015
@@ -132,6 +132,12 @@ public final class JettyConfig
/** Felix specific property to control whether to enable Proxy/Load Balancer Connection */
public static final String FELIX_PROXY_LOAD_BALANCER_CONNECTION_ENABLE = "org.apache.felix.proxy.load.balancer.connection.enable";
+
+ /** Felix specific property to configure the session cookie httpOnly flag */
+ public static final String FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY = "org.apache.felix.https.jetty.session.cookie.httpOnly";
+
+ /** Felix specific property to configure the session cookie secure flag */
+ public static final String FELIX_JETTY_SESSION_COOKIE_SECURE = "org.apache.felix.https.jetty.session.cookie.secure";
private static String validateContextPath(String ctxPath)
{
Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java Thu Nov 19 14:01:52 2015
@@ -468,6 +468,8 @@ public final class JettyService extends
cookieConfig.setDomain(this.config.getProperty(SessionManager.__SessionDomainProperty, SessionManager.__DefaultSessionDomain));
cookieConfig.setPath(this.config.getProperty(SessionManager.__SessionPathProperty, context.getContextPath()));
cookieConfig.setMaxAge(this.config.getIntProperty(SessionManager.__MaxAgeProperty, -1));
+ cookieConfig.setHttpOnly(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY, true));
+ cookieConfig.setSecure(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE, false));
}
private boolean startConnector(Connector connector)