internal: ConfigMetaTypeProvider.java JettyConfig.java JettyService.java

davidb Thu, 19 Nov 2015 06:02:53 -0800

Author: davidb
Date: Thu Nov 19 14:01:52 2015
New Revision: 1715183

URL: http://svn.apache.org/viewvc?rev=1715183&view=rev
Log:
FELIX-5099 JSESSIONID Cookie in HTTPS Session Without 'Secure' and ‘HttpOnly’ 
Attributes


Applying patch on behalf of Antonio Sanso with many thanks!

Modified:
    
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
    
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
    
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java

Modified: 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
URL: 
http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
 (original)
+++ 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java
 Thu Nov 19 14:01:52 2015
@@ -254,6 +254,18 @@ class ConfigMetaTypeProvider implements
                 "Whether TLS renegotiation is allowed (true by default)",
                 false,
                 
bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RENEGOTIATION_ALLOWED)));
+        
+        adList.add(new 
AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY,
+                "Session Cookie httpOnly",
+                "Session Cookie httpOnly (true by default)",
+                true,
+                
bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY)));
+        
+        adList.add(new 
AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE,
+                "Session Cookie secure",
+                "Session Cookie secure (false by default)",
+                false,
+                
bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE)));
 
         return new ObjectClassDefinition()
         {

Modified: 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
URL: 
http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
 (original)
+++ 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java
 Thu Nov 19 14:01:52 2015
@@ -132,6 +132,12 @@ public final class JettyConfig
 
     /** Felix specific property to control whether to enable Proxy/Load 
Balancer Connection */
     public static final String FELIX_PROXY_LOAD_BALANCER_CONNECTION_ENABLE = 
"org.apache.felix.proxy.load.balancer.connection.enable";
+    
+    /** Felix specific property to configure the session cookie httpOnly flag 
*/
+    public static final String FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY = 
"org.apache.felix.https.jetty.session.cookie.httpOnly";
+    
+    /** Felix specific property to configure the session cookie secure flag */
+    public static final String FELIX_JETTY_SESSION_COOKIE_SECURE = 
"org.apache.felix.https.jetty.session.cookie.secure";
 
     private static String validateContextPath(String ctxPath)
     {

Modified: 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
URL: 
http://svn.apache.org/viewvc/felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java?rev=1715183&r1=1715182&r2=1715183&view=diff
==============================================================================
--- 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
 (original)
+++ 
felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java
 Thu Nov 19 14:01:52 2015
@@ -468,6 +468,8 @@ public final class JettyService extends
         
cookieConfig.setDomain(this.config.getProperty(SessionManager.__SessionDomainProperty,
 SessionManager.__DefaultSessionDomain));
         
cookieConfig.setPath(this.config.getProperty(SessionManager.__SessionPathProperty,
 context.getContextPath()));
         
cookieConfig.setMaxAge(this.config.getIntProperty(SessionManager.__MaxAgeProperty,
 -1));
+        
cookieConfig.setHttpOnly(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_HTTP_ONLY,
 true));
+        
cookieConfig.setSecure(this.config.getBooleanProperty(JettyConfig.FELIX_JETTY_SESSION_COOKIE_SECURE,
 false));
     }
 
     private boolean startConnector(Connector connector)

svn commit: r1715183 - in /felix/trunk/http/jetty/src/main/java/org/apache/felix/http/jetty/internal: ConfigMetaTypeProvider.java JettyConfig.java JettyService.java

Reply via email to