Skip to content

Commit

Permalink
Merge pull request #1078 from lprimak/cookie-secure-flag
Browse files Browse the repository at this point in the history
[#1079] - bugfix: make sure form resubmit cookie is secure
  • Loading branch information
lprimak authored Sep 21, 2023
2 parents 2ab7a7c + 227b3aa commit fe2ccc0
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import org.apache.shiro.ee.filters.Forms.FallbackPredicate;
import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME;
import static org.apache.shiro.ee.filters.LogoutFilter.YES_PREDICATE;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import javax.servlet.ServletRequest;
Expand Down Expand Up @@ -102,7 +102,7 @@ public boolean isAccessAllowed(ServletRequest request, ServletResponse response,
* @throws IOException
*/
public void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
if (request instanceof HttpServletRequest && !isFormResumbitDisabled(request.getServletContext())) {
if (request instanceof HttpServletRequest && !isFormResubmitDisabled(request.getServletContext())) {
savePostDataForResubmit(WebUtils.toHttp(request), WebUtils.toHttp(response),
methods.getLoginUrl());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
import org.apache.shiro.ee.filters.Forms.FallbackPredicate;
import org.apache.shiro.ee.filters.ShiroFilter.WrappedSecurityManager;
import static org.apache.shiro.ee.filters.FormResubmitSupportCookies.transformCookieHeader;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
import java.io.IOException;
import java.net.CookieManager;
import java.net.HttpCookie;
Expand Down Expand Up @@ -233,7 +233,7 @@ static String getReferer(HttpServletRequest request) {

/**
* Redirects the user to saved request after login, if available
* Resumbits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms
* Resubmits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms
* @param request
* @param response
* @param useFallbackPath predicate whether to use fall back path
Expand Down Expand Up @@ -263,7 +263,7 @@ static void redirectToSaved(HttpServletRequest request, HttpServletResponse resp
static void redirectToSaved(HttpServletRequest request, HttpServletResponse response,
FallbackPredicate useFallbackPath, String fallbackPath) {
redirectToSaved(request, response, useFallbackPath, fallbackPath,
!isFormResumbitDisabled(request.getServletContext()));
!isFormResubmitDisabled(request.getServletContext()));
}


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import lombok.NoArgsConstructor;
import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.ee.listeners.EnvironmentLoaderListener;
import static org.apache.shiro.web.servlet.ShiroHttpSession.DEFAULT_SESSION_ID_NAME;

/**
Expand All @@ -41,18 +42,24 @@ public class FormResubmitSupportCookies {
static final String DONT_ADD_ANY_MORE_COOKIES = "org.apache.shiro.no-more-cookies";

static void addCookie(@NonNull HttpServletResponse response, ServletContext servletContext,
@NonNull String cokieName, @NonNull String cookieValue, int maxAge) {
var cookie = new Cookie(cokieName, cookieValue);
@NonNull String cookieName, @NonNull String cookieValue, int maxAge) {
var cookie = new Cookie(cookieName, cookieValue);
cookie.setPath(servletContext.getContextPath());
cookie.setMaxAge(maxAge);
if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) {
cookie.setSecure(true);
}
response.addCookie(cookie);
}

static void deleteCookie(@NonNull HttpServletResponse response, ServletContext servletContext,
@NonNull String cokieName) {
var cookieToDelete = new Cookie(cokieName, "tbd");
@NonNull String cookieName) {
var cookieToDelete = new Cookie(cookieName, "tbd");
cookieToDelete.setPath(servletContext.getContextPath());
cookieToDelete.setMaxAge(0);
if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) {
cookieToDelete.setSecure(true);
}
response.addCookie(cookieToDelete);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
import static org.apache.shiro.ee.filters.FormResubmitSupport.FORM_IS_RESUBMITTED;
import static org.apache.shiro.ee.filters.FormResubmitSupport.SESSION_EXPIRED_PARAMETER;
import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
import java.util.concurrent.TimeUnit;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Named;
Expand Down Expand Up @@ -130,7 +130,7 @@ public interface FallbackPredicate {
*/
public static void redirectToSaved(FallbackPredicate useFallbackPath, String fallbackPath) {
FormResubmitSupport.redirectToSaved(Faces.getRequest(), Faces.getResponse(), useFallbackPath, fallbackPath,
!isFormResumbitDisabled(Faces.getRequest().getServletContext()));
!isFormResubmitDisabled(Faces.getRequest().getServletContext()));
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,21 @@
public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {
private static final String SHIRO_EE_DISABLED_PARAM = "org.apache.shiro.ee.disabled";
private static final String FORM_RESUBMIT_DISABLED_PARAM = "org.apache.shiro.form-resubmit.disabled";
private static final String FORM_RESUBMIT_SECURE_COOKIES = "org.apache.shiro.form-resubmit.secure-cookies";
private static final String SHIRO_WEB_DISABLE_PRINCIPAL_PARAM = "org.apache.shiro.web.disable-principal";

public static boolean isShiroEEDisabled(ServletContext ctx) {
return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_EE_DISABLED_PARAM));
}

public static boolean isFormResumbitDisabled(ServletContext ctx) {
public static boolean isFormResubmitDisabled(ServletContext ctx) {
return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_DISABLED_PARAM));
}

public static boolean isFormResubmitSecureCookies(ServletContext ctx) {
return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_SECURE_COOKIES));
}

public static boolean isServletNoPrincipal(ServletContext ctx) {
return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM));
}
Expand All @@ -49,6 +54,15 @@ public void contextInitialized(ServletContextEvent sce) {
if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_EE_DISABLED_PARAM))) {
sce.getServletContext().setAttribute(SHIRO_EE_DISABLED_PARAM, Boolean.TRUE);
}
if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(FORM_RESUBMIT_DISABLED_PARAM))) {
sce.getServletContext().setAttribute(FORM_RESUBMIT_DISABLED_PARAM, Boolean.TRUE);
}
String secureCookiesStr = sce.getServletContext().getInitParameter(FORM_RESUBMIT_SECURE_COOKIES);
if (secureCookiesStr == null || Boolean.parseBoolean(secureCookiesStr)) {
sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.TRUE);
} else {
sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.FALSE);
}
if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM))) {
sce.getServletContext().setAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM, Boolean.TRUE);
}
Expand Down

0 comments on commit fe2ccc0

Please sign in to comment.