[brooklyn-server] branch master updated: Csrf-Token mark as secure when https is used

jcabrerizo Mon, 12 Jul 2021 09:19:57 -0700

This is an automated email from the ASF dual-hosted git repository.

jcabrerizo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git



The following commit(s) were added to refs/heads/master by this push:
     new 50432e3  Csrf-Token mark as secure when https is used
     new b4d4a26  Merge pull request #1198 from 
jcabrerizo/feature/csrf-cookie-secure
50432e3 is described below

commit 50432e3c054f0cd99f076ff85532b879aed95070
Author: Juan Cabrerizo <[email protected]>
AuthorDate: Mon Jul 12 15:53:12 2021 +0100

    Csrf-Token mark as secure when https is used
---
 .../java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java    | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git 
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java
 
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java
index 93344f9..ca57d3e 100644
--- 
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java
+++ 
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java
@@ -239,8 +239,8 @@ public class CsrfTokenFilter implements 
ContainerRequestFilter, ContainerRespons
         }
         session.setAttribute(CSRF_TOKEN_VALUE_ATTR, token);
 
-        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE, token, "Clients 
should send this value in header "+CSRF_TOKEN_VALUE_HEADER+" for validation");
-        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME, 
token, "Compatibility cookie for "+CSRF_TOKEN_VALUE_COOKIE+" following 
AngularJS conventions");
+        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE, token, "Clients 
should send this value in header "+CSRF_TOKEN_VALUE_HEADER+" for validation", 
requestContext.getSecurityContext().isSecure());
+        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME, 
token, "Compatibility cookie for "+CSRF_TOKEN_VALUE_COOKIE+" following 
AngularJS conventions", requestContext.getSecurityContext().isSecure());
 
         CsrfTokenRequiredForRequests requiredWhen;
         if (Strings.isNonBlank(requiredWhenS)) {
@@ -273,9 +273,10 @@ public class CsrfTokenFilter implements 
ContainerRequestFilter, ContainerRespons
 
     }
 
-    protected NewCookie addCookie(ContainerResponseContext responseContext, 
String cookieName, String token, String comment) {
-        NewCookie cookie = new NewCookie(cookieName, token, "/", null, 
comment, -1, false);
+    protected NewCookie addCookie(ContainerResponseContext responseContext, 
String cookieName, String token, String comment, boolean markSecure) {
+        NewCookie cookie = new NewCookie(cookieName, token, "/", null, 
comment, -1, markSecure);
         responseContext.getHeaders().add("Set-Cookie", cookie);
+
         return cookie;
     }

[brooklyn-server] branch master updated: Csrf-Token mark as secure when https is used

Reply via email to