Author: markt
Date: Wed Jun 9 14:30:30 2010
New Revision: 953025
URL: http://svn.apache.org/viewvc?rev=953025&view=rev
Log:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
Make session cookie name, domain and path configurable per context
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 9 14:30:30 2010
@@ -62,13 +62,6 @@ PATCHES PROPOSED TO BACKPORT:
message text ("starting"), vs. what actually happened (initialize()) -
I won't insist on fixing that inconsistency.
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48379
- Make session cookie name, domain and path configurable per context.
- Updated patch in response to review comments from kkolinko & rjung
- http://people.apache.org/~markt/patches/2010-06-07-bug48379.patch
- +1: markt, jfclere, kkolinko
- -1:
-
* Configure Tomcat to use HttpOnly for session cookies by default
http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
+1: kkolinko
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java Wed Jun 9
14:30:30 2010
@@ -181,6 +181,26 @@ public interface Context extends Contain
*/
public void setCookies(boolean cookies);
+
+ /**
+ * Gets the name to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie name or null if not
+ * specified
+ */
+ public String getSessionCookieName();
+
+
+ /**
+ * Sets the name to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookieName The name to use
+ */
+ public void setSessionCookieName(String sessionCookieName);
+
+
/**
* Gets the value of the use HttpOnly cookies for session cookies flag.
*
@@ -198,12 +218,50 @@ public interface Context extends Contain
*/
public void setUseHttpOnly(boolean useHttpOnly);
+
+ /**
+ * Gets the domain to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie domain or null if not
+ * specified
+ */
+ public String getSessionCookieDomain();
+
+
+ /**
+ * Sets the domain to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookieDomain The domain to use
+ */
+ public void setSessionCookieDomain(String sessionCookieDomain);
+
+
+ /**
+ * Gets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath();
+
+
+ /**
+ * Sets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath);
+
+
/**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext();
-
/**
* Return the alternate Deployment Descriptor name.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Wed Jun 9 14:30:30 2010
@@ -592,9 +592,11 @@ public class CoyoteAdapter implements Ad
if (count <= 0)
return;
+ String sessionCookieName = getSessionCookieName(context);
+
for (int i = 0; i < count; i++) {
ServerCookie scookie = serverCookies.getCookie(i);
- if (scookie.getName().equals(Globals.SESSION_COOKIE_NAME)) {
+ if (scookie.getName().equals(sessionCookieName)) {
// Override anything requested in the URL
if (!request.isRequestedSessionIdFromCookie()) {
// Accept only the first session id cookie
@@ -868,9 +870,6 @@ public class CoyoteAdapter implements Ad
}
- // ------------------------------------------------------ Protected Methods
-
-
/**
* Copy an array of bytes to a different position. Used during
* normalization.
@@ -882,4 +881,18 @@ public class CoyoteAdapter implements Ad
}
+ private String getSessionCookieName(Context context) {
+
+ String result = null;
+
+ if (context != null) {
+ result = context.getSessionCookieName();
+ }
+
+ if (result == null) {
+ result = Globals.SESSION_COOKIE_NAME;
+ }
+
+ return result;
+ }
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Wed
Jun 9 14:30:30 2010
@@ -2251,22 +2251,18 @@ public class Request
return;
if (response != null) {
- Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
- newSessionId);
- newCookie.setMaxAge(-1);
- String contextPath = null;
- if (!response.getConnector().getEmptySessionPath()
- && (context != null)) {
- contextPath = context.getEncodedPath();
+ String scName = null;
+ if (context != null) {
+ scName = context.getSessionCookieName();
}
- if ((contextPath != null) && (contextPath.length() > 0)) {
- newCookie.setPath(contextPath);
- } else {
- newCookie.setPath("/");
- }
- if (isSecure()) {
- newCookie.setSecure(true);
+ if (scName == null) {
+ scName = Globals.SESSION_COOKIE_NAME;
}
+
+ Cookie newCookie = new Cookie(scName, newSessionId);
+
+ configureSessionCookie(newCookie);
+
if (context == null) {
response.addSessionCookieInternal(newCookie, false);
} else {
@@ -2395,8 +2391,11 @@ public class Request
// Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getCookies()) {
- Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
- session.getIdInternal());
+ String scName = context.getSessionCookieName();
+ if (scName == null) {
+ scName = Globals.SESSION_COOKIE_NAME;
+ }
+ Cookie cookie = new Cookie(scName, session.getIdInternal());
configureSessionCookie(cookie);
response.addSessionCookieInternal(cookie,
context.getUseHttpOnly());
}
@@ -2417,15 +2416,27 @@ public class Request
*/
protected void configureSessionCookie(Cookie cookie) {
cookie.setMaxAge(-1);
+
+ Context ctxt = getContext();
+
String contextPath = null;
- if (!connector.getEmptySessionPath() && (getContext() != null)) {
- contextPath = getContext().getEncodedPath();
+ if (ctxt != null && !getConnector().getEmptySessionPath()) {
+ if (ctxt.getSessionCookiePath() != null) {
+ contextPath = ctxt.getSessionCookiePath();
+ } else {
+ contextPath = ctxt.getEncodedPath();
+ }
}
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
+
+ if (ctxt != null && ctxt.getSessionCookieDomain() != null) {
+ cookie.setDomain(ctxt.getSessionCookieDomain());
+ }
+
if (isSecure()) {
cookie.setSecure(true);
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Wed
Jun 9 14:30:30 2010
@@ -703,11 +703,34 @@ public class StandardContext
*/
private boolean saveConfig = true;
+
/**
* The flag that indicates that session cookies should use HttpOnly
*/
private boolean useHttpOnly = false;
+
+ /**
+ * The domain to use for session cookies. <code>null</code> indicates that
+ * the domain is controlled by the application.
+ */
+ private String sessionCookieDomain;
+
+
+ /**
+ * The path to use for session cookies. <code>null</code> indicates that
+ * the path is controlled by the application.
+ */
+ private String sessionCookiePath;
+
+
+ /**
+ * The name to use for session cookies. <code>null</code> indicates that
+ * the name is controlled by the application.
+ */
+ private String sessionCookieName;
+
+
/**
* Should Tomcat attempt to terminate threads that have been started by the
* web application? Stopping threads is performed via the deprecated (for
@@ -1176,8 +1199,79 @@ public class StandardContext
}
+ /**
+ * Gets the domain to use for session cookies.
+ *
+ * @return The value of the default session cookie domain or null if not
+ * specified
+ */
+ public String getSessionCookieDomain() {
+ return sessionCookieDomain;
+ }
+
+
+ /**
+ * Sets the domain to use for session cookies.
+ *
+ * @param sessionCookieDomain The domain to use
+ */
+ public void setSessionCookieDomain(String sessionCookieDomain) {
+ String oldSessionCookieDomain = this.sessionCookieDomain;
+ this.sessionCookieDomain = sessionCookieDomain;
+ support.firePropertyChange("sessionCookieDomain",
+ oldSessionCookieDomain, sessionCookieDomain);
+ }
+
+
+ /**
+ * Gets the path to use for session cookies.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath() {
+ return sessionCookiePath;
+ }
+
+
+ /**
+ * Sets the path to use for session cookies.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath) {
+ String oldSessionCookiePath = this.sessionCookiePath;
+ this.sessionCookiePath = sessionCookiePath;
+ support.firePropertyChange("sessionCookiePath",
+ oldSessionCookiePath, sessionCookiePath);
+ }
+
+ /**
+ * Gets the name to use for session cookies.
+ *
+ * @return The value of the default session cookie name or null if not
+ * specified
+ */
+ public String getSessionCookieName() {
+ return sessionCookieName;
+ }
+
+
+ /**
+ * Sets the name to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookieName The name to use
+ */
+ public void setSessionCookieName(String sessionCookieName) {
+ String oldSessionCookieName = this.sessionCookieName;
+ this.sessionCookieName = sessionCookieName;
+ support.firePropertyChange("sessionCookieName",
+ oldSessionCookieName, sessionCookieName);
+ }
+
/**
* Return the "allow crossing servlet contexts" flag.
*/
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Wed Jun 9 14:30:30 2010
@@ -455,25 +455,40 @@ public class JvmRouteBinderValve extends
Context context = request.getContext();
if (context.getCookies()) {
// set a new session cookie
- Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
- sessionId);
+ String scName = context.getSessionCookieName();
+ if (scName == null) {
+ scName = Globals.SESSION_COOKIE_NAME;
+ }
+ Cookie newCookie = new Cookie(scName, sessionId);
+
newCookie.setMaxAge(-1);
+
String contextPath = null;
- if (!response.getConnector().getEmptySessionPath()
- && (context != null)) {
- contextPath = context.getEncodedPath();
+ if (!response.getConnector().getEmptySessionPath() &&
+ (context != null)) {
+ if (context.getSessionCookiePath() != null) {
+ contextPath = context.getSessionCookiePath();
+ } else {
+ contextPath = context.getEncodedPath();
+ }
}
if ((contextPath != null) && (contextPath.length() > 0)) {
newCookie.setPath(contextPath);
} else {
newCookie.setPath("/");
}
+
+ if (context.getSessionCookieDomain() != null) {
+ newCookie.setDomain(context.getSessionCookieDomain());
+ }
+
if (request.isSecure()) {
newCookie.setSecure(true);
}
+
if (log.isDebugEnabled()) {
Object[] args = new Object[] {sessionId,
- Globals.SESSION_COOKIE_NAME,
+ newCookie.getName(),
newCookie.getPath(),
new Boolean(newCookie.getSecure()),
new Boolean(context.getUseHttpOnly())};
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Jun 9 14:30:30 2010
@@ -62,6 +62,10 @@
Improve exception handling on session de-serialization to assist in
identifying the root cause of <bug>48007</bug>. (kkolinko)
</fix>
+ <add>
+ <bug>48379</bug>: Make session cookie name, domain and path
configurable
+ per context. (markt)
+ </add>
<fix>
<bug>48589</bug>: Make JNDIRealm easier to extend. Based on a patch by
Candid Dauth. (markt/kkolinko)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml?rev=953025&r1=953024&r2=953025&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Wed Jun 9 14:30:30
2010
@@ -227,6 +227,27 @@
on demand.</p>
</attribute>
+ <attribute name="sessionCookieDomain" required="false">
+ <p>The domain to be used for all session cookies created for this
+ Context. If not set, no domain will be specified for session cookies.
+ </p>
+ </attribute>
+
+ <attribute name="sessionCookieName" required="false">
+ <p>The name to be used for all session cookies created for this
+ Context. If not set, the default of JSESSIONID will be used. Note that
+ this default will be overridden by the
+ <strong>org.apache.catalina.SESSION_COOKIE_NAME</strong> system
+ property.</p>
+ </attribute>
+
+ <attribute name="sessionCookiePath" required="false">
+ <p>The path to be used for all session cookies created for this
+ Context. If not set, the context path will be used. Note that this will
+ be overridden by the <strong>emptySessionPath</strong> attribute on the
+ connector used to access this Context.</p>
+ </attribute>
+
<attribute name="wrapperClass" required="false">
<p>Java class name of the <code>org.apache.catalina.Wrapper</code>
implementation class that will be used for servlets managed by this
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
