svn commit: r1715183 - in /felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal: ConfigMetaTypeProvider.java JettyConfig.java JettyService.java

[da...@apache.org]

Author: davidb
Date: Thu Nov 19 14:01:52 2015
New Revision: 1715183

URL: http://svn.apache.org/viewvc?rev=1715183&view=rev
Log:
FELIX-5099 JSESSIONID Cookie in HTTPS Session Without 'Secure' and ‘HttpOnly’ Attributes

Applying patch on behalf of Antonio Sanso with many thanks!

Modified:
    felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
    felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
    felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java

Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java Thu Nov 19 14:01:52 2015
@@ -254,6 +254,18 @@ class ConfigMetaTypeProvider implements
                 "Whether TLS renegotiation is allowed (true by default)",
                 false,
                 bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RENEGOTIATION_ALLOWED)));
+        
+        adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY,
+                "Session Cookie httpOnly",
+                "Session Cookie httpOnly (true by default)",
+                true,
+                bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY)));
+        
+        adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE,
+                "Session Cookie secure",
+                "Session Cookie secure (false by default)",
+                false,
+                bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE)));
 
         return new ObjectClassDefinition()
         {

Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java Thu Nov 19 14:01:52 2015
@@ -132,6 +132,12 @@ public final class JettyConfig
 
     /** Felix specific property to control whether to enable Proxy/Load Balancer Connection */
     public static final String FELIX_PROXY_LOAD_BALANCER_CONNECTION_ENABLE = "org.apache.felix.proxy.load.balancer.connection.enable";
+    
+    /** Felix specific property to configure the session cookie httpOnly flag */
+    public static final String FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY = "org.apache.felix.https.jetty.session.cookie.httpOnly";
+    
+    /** Felix specific property to configure the session cookie secure flag */
+    public static final String FELIX_JETTY_SESSION_COOKIE_SECURE = "org.apache.felix.https.jetty.session.cookie.secure";
 
     private static String validateContextPath(String ctxPath)
     {

Modified: felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
URL: http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java (original)
+++ felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java Thu Nov 19 14:01:52 2015
@@ -468,6 +468,8 @@ public final class JettyService extends
         cookieConfig.setDomain(this.config.getProperty(SessionManager.__SessionDomainProperty, SessionManager.__DefaultSessionDomain));
         cookieConfig.setPath(this.config.getProperty(SessionManager.__SessionPathProperty, context.getContextPath()));
         cookieConfig.setMaxAge(this.config.getIntProperty(SessionManager.__MaxAgeProperty, -1));
+        cookieConfig.setHttpOnly(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY, true));
+        cookieConfig.setSecure(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE, false));
     }
 
     private boolean startConnector(Connector connector)