You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2015/12/14 16:28:54 UTC
svn commit: r1719939 - in /ofbiz/trunk:
applications/marketing/src/org/ofbiz/marketing/tracking/
applications/order/src/org/ofbiz/order/shoppinglist/
applications/securityext/src/org/ofbiz/securityext/login/
framework/webapp/src/org/ofbiz/webapp/contro...
Author: jleroux
Date: Mon Dec 14 15:28:54 2015
New Revision: 1719939
URL: http://svn.apache.org/viewvc?rev=1719939&view=rev
Log:
Reapplies r1719762 because of OFBIZ-6655
This for 3 reasons:
1) Tomcat protects the cookies which it cares about (session and SSO cookies) but not all. Notably the OFBiz specific cookies, like visitorCookie. I guess also trackableCookie, billableCookie, siteIdCookie, updatedTimeStampCookie, guestShoppingListCookie, usernameCookieName and autoLoginCookie are not secured with The data in those cookies are less sensible than jsessionId but anyway it's safer to have them all secured.
2) I don't want to debug the ecommerce issue I reported in OFBIZ-6655. And if I don't use the sessionConifg_ecommerce.patch but rather reapply r1719762 then it's OK (if I also locally revert r1686574 done for OFBIz-6111, still waiting on this one...)
3) I see no reasons why someone would not want her cookies secured, as recommended by OWASP and others
Modified:
ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java
Modified: ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java (original)
+++ ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java Mon Dec 14 15:28:54 2015
@@ -31,14 +31,14 @@ import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilDateTime;
import org.ofbiz.base.util.UtilMisc;
import org.ofbiz.base.util.UtilValidate;
-import org.ofbiz.webapp.stats.VisitHandler;
-import org.ofbiz.webapp.website.WebSiteWorker;
import org.ofbiz.entity.Delegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
import org.ofbiz.entity.util.EntityQuery;
import org.ofbiz.entity.util.EntityUtilProperties;
import org.ofbiz.product.category.CategoryWorker;
+import org.ofbiz.webapp.stats.VisitHandler;
+import org.ofbiz.webapp.website.WebSiteWorker;
/**
* Events used for maintaining TrackingCode related information
@@ -228,6 +228,8 @@ public class TrackingCodeEvents {
if (trackableLifetime.longValue() > 0) trackableCookie.setMaxAge(trackableLifetime.intValue());
trackableCookie.setPath("/");
if (cookieDomain.length() > 0) trackableCookie.setDomain(cookieDomain);
+ trackableCookie.setSecure(true);
+ trackableCookie.setHttpOnly(true);
response.addCookie(trackableCookie);
}
@@ -238,6 +240,8 @@ public class TrackingCodeEvents {
if (billableLifetime.longValue() > 0) billableCookie.setMaxAge(billableLifetime.intValue());
billableCookie.setPath("/");
if (cookieDomain.length() > 0) billableCookie.setDomain(cookieDomain);
+ billableCookie.setSecure(true);
+ billableCookie.setHttpOnly(true);
response.addCookie(billableCookie);
}
@@ -264,13 +268,17 @@ public class TrackingCodeEvents {
siteIdCookie.setMaxAge(siteIdCookieAge);
siteIdCookie.setPath("/");
if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
- response.addCookie(siteIdCookie);
+ siteIdCookie.setSecure(true);
+ siteIdCookie.setHttpOnly(true);
+ response.addCookie(siteIdCookie);
// if trackingCode.siteId is not null write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
updatedTimeStampCookie.setPath("/");
if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
- response.addCookie(updatedTimeStampCookie);
+ updatedTimeStampCookie.setSecure(true);
+ updatedTimeStampCookie.setHttpOnly(true);
+ response.addCookie(updatedTimeStampCookie);
}
}
Modified: ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java (original)
+++ ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java Mon Dec 14 15:28:54 2015
@@ -669,6 +669,8 @@ public class ShoppingListEvents {
Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, autoSaveListId);
guestShoppingListCookie.setMaxAge(cookieAge);
guestShoppingListCookie.setPath("/");
+ guestShoppingListCookie.setSecure(true);
+ guestShoppingListCookie.setHttpOnly(true);
response.addCookie(guestShoppingListCookie);
}
}
@@ -692,6 +694,8 @@ public class ShoppingListEvents {
Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, null);
guestShoppingListCookie.setMaxAge(0);
guestShoppingListCookie.setPath("/");
+ guestShoppingListCookie.setSecure(true);
+ guestShoppingListCookie.setHttpOnly(true);
response.addCookie(guestShoppingListCookie);
return "success";
}
Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Mon Dec 14 15:28:54 2015
@@ -430,6 +430,8 @@ public class LoginEvents {
cookie.setMaxAge(60 * 60 * 24 * 365);
cookie.setPath("/");
cookie.setDomain(domain);
+ cookie.setSecure(true);
+ cookie.setHttpOnly(true);
response.addCookie(cookie);
}
}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Mon Dec 14 15:28:54 2015
@@ -763,6 +763,8 @@ public class LoginWorker {
autoLoginCookie.setMaxAge(60 * 60 * 24 * 365);
autoLoginCookie.setDomain(domain);
autoLoginCookie.setPath("/");
+ autoLoginCookie.setSecure(true);
+ autoLoginCookie.setHttpOnly(true);
response.addCookie(autoLoginCookie);
return autoLoginCheck(delegator, session, userLogin.getString("userLoginId"));
} else {
@@ -833,6 +835,8 @@ public class LoginWorker {
Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
autoLoginCookie.setMaxAge(0);
autoLoginCookie.setPath("/");
+ autoLoginCookie.setSecure(true);
+ autoLoginCookie.setHttpOnly(true);
response.addCookie(autoLoginCookie);
}
// remove the session attributes
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Dec 14 15:28:54 2015
@@ -1000,14 +1000,25 @@ public class RequestHandler {
resp.addHeader("strict-transport-security", strictTransportSecurity);
}
} else {
- if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument
+ if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) {
resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
}
}
//The only x-vontent-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
// This also applies to Google Chrome, when downloading extensions.
- resp.addHeader("x-content-type-options", "nosniff");
+ resp.addHeader("x-content-type-options", "nosniff");
+
+ String setCookie = resp.getHeader("set-cookie");
+ if (UtilValidate.isNotEmpty(setCookie)) {
+ setCookie = setCookie.toLowerCase();
+ if (!setCookie.contains("secure")) {
+ resp.setHeader("set-cookie", setCookie + "; secure;"); // Adds a ";" trail to be sure to separate things
+ }
+ if (!setCookie.contains("httponly")) {
+ resp.setHeader("set-cookie", setCookie + "; httponly;"); // Adds a ";" trail to be sure to separate things
+ }
+ }
try {
if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java?rev=1719939&r1=1719938&r2=1719939&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java Mon Dec 14 15:28:54 2015
@@ -271,6 +271,8 @@ public class VisitHandler {
Cookie visitorCookie = new Cookie(visitorCookieName, visitor.getString("visitorId"));
visitorCookie.setMaxAge(60 * 60 * 24 * 365);
visitorCookie.setPath("/");
+ visitorCookie.setSecure(true);
+ visitorCookie.setHttpOnly(true);
response.addCookie(visitorCookie);
}
}