From 227b3aa7cf58aef96361e428e71074f452b383e1 Mon Sep 17 00:00:00 2001 From: lprimak Date: Thu, 21 Sep 2023 16:38:10 -0500 Subject: [PATCH] bugfix: numerous spelling fixes in method names in form resubmit internals enh: added org.apache.shiro.form-resubmit.secure-cookies configuration parameter into web.xml bugfix: made org.apache.shiro.form-resubmit.disabled configuration parameter work in web.xml --- .../ee/filters/AuthenticationFilterDelegate.java | 4 ++-- .../shiro/ee/filters/FormResubmitSupport.java | 6 +++--- .../ee/filters/FormResubmitSupportCookies.java | 15 +++++++++++---- .../java/org/apache/shiro/ee/filters/Forms.java | 4 ++-- .../ee/listeners/EnvironmentLoaderListener.java | 16 +++++++++++++++- 5 files changed, 33 insertions(+), 12 deletions(-) diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/AuthenticationFilterDelegate.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/AuthenticationFilterDelegate.java index 5c1741be00..58c72eab2b 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/AuthenticationFilterDelegate.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/AuthenticationFilterDelegate.java @@ -22,7 +22,7 @@ import org.apache.shiro.ee.filters.Forms.FallbackPredicate; import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME; import static org.apache.shiro.ee.filters.LogoutFilter.YES_PREDICATE; -import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled; +import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled; import java.io.IOException; import java.util.concurrent.TimeUnit; import javax.servlet.ServletRequest; @@ -102,7 +102,7 @@ public boolean isAccessAllowed(ServletRequest request, ServletResponse response, * @throws IOException */ public void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException { - if (request instanceof HttpServletRequest && !isFormResumbitDisabled(request.getServletContext())) { + if (request instanceof HttpServletRequest && !isFormResubmitDisabled(request.getServletContext())) { savePostDataForResubmit(WebUtils.toHttp(request), WebUtils.toHttp(response), methods.getLoginUrl()); } diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java index 9841ea82ab..cd44ced4ce 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java @@ -33,7 +33,7 @@ import org.apache.shiro.ee.filters.Forms.FallbackPredicate; import org.apache.shiro.ee.filters.ShiroFilter.WrappedSecurityManager; import static org.apache.shiro.ee.filters.FormResubmitSupportCookies.transformCookieHeader; -import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled; +import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled; import java.io.IOException; import java.net.CookieManager; import java.net.HttpCookie; @@ -233,7 +233,7 @@ static String getReferer(HttpServletRequest request) { /** * Redirects the user to saved request after login, if available - * Resumbits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms + * Resubmits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms * @param request * @param response * @param useFallbackPath predicate whether to use fall back path @@ -263,7 +263,7 @@ static void redirectToSaved(HttpServletRequest request, HttpServletResponse resp static void redirectToSaved(HttpServletRequest request, HttpServletResponse response, FallbackPredicate useFallbackPath, String fallbackPath) { redirectToSaved(request, response, useFallbackPath, fallbackPath, - !isFormResumbitDisabled(request.getServletContext())); + !isFormResubmitDisabled(request.getServletContext())); } diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java index 06e90107cd..6a77c6e3f8 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java @@ -29,6 +29,7 @@ import lombok.NoArgsConstructor; import lombok.NonNull; import lombok.extern.slf4j.Slf4j; +import org.apache.shiro.ee.listeners.EnvironmentLoaderListener; import static org.apache.shiro.web.servlet.ShiroHttpSession.DEFAULT_SESSION_ID_NAME; /** @@ -41,18 +42,24 @@ public class FormResubmitSupportCookies { static final String DONT_ADD_ANY_MORE_COOKIES = "org.apache.shiro.no-more-cookies"; static void addCookie(@NonNull HttpServletResponse response, ServletContext servletContext, - @NonNull String cokieName, @NonNull String cookieValue, int maxAge) { - var cookie = new Cookie(cokieName, cookieValue); + @NonNull String cookieName, @NonNull String cookieValue, int maxAge) { + var cookie = new Cookie(cookieName, cookieValue); cookie.setPath(servletContext.getContextPath()); cookie.setMaxAge(maxAge); + if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) { + cookie.setSecure(true); + } response.addCookie(cookie); } static void deleteCookie(@NonNull HttpServletResponse response, ServletContext servletContext, - @NonNull String cokieName) { - var cookieToDelete = new Cookie(cokieName, "tbd"); + @NonNull String cookieName) { + var cookieToDelete = new Cookie(cookieName, "tbd"); cookieToDelete.setPath(servletContext.getContextPath()); cookieToDelete.setMaxAge(0); + if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) { + cookieToDelete.setSecure(true); + } response.addCookie(cookieToDelete); } diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java index 9630de44c3..e081a8fdf5 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java @@ -18,7 +18,7 @@ import static org.apache.shiro.ee.filters.FormResubmitSupport.FORM_IS_RESUBMITTED; import static org.apache.shiro.ee.filters.FormResubmitSupport.SESSION_EXPIRED_PARAMETER; import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME; -import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled; +import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled; import java.util.concurrent.TimeUnit; import javax.enterprise.context.ApplicationScoped; import javax.inject.Named; @@ -130,7 +130,7 @@ public interface FallbackPredicate { */ public static void redirectToSaved(FallbackPredicate useFallbackPath, String fallbackPath) { FormResubmitSupport.redirectToSaved(Faces.getRequest(), Faces.getResponse(), useFallbackPath, fallbackPath, - !isFormResumbitDisabled(Faces.getRequest().getServletContext())); + !isFormResubmitDisabled(Faces.getRequest().getServletContext())); } /** diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java index 92b37a4f35..c7381021c9 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java @@ -30,16 +30,21 @@ public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener { private static final String SHIRO_EE_DISABLED_PARAM = "org.apache.shiro.ee.disabled"; private static final String FORM_RESUBMIT_DISABLED_PARAM = "org.apache.shiro.form-resubmit.disabled"; + private static final String FORM_RESUBMIT_SECURE_COOKIES = "org.apache.shiro.form-resubmit.secure-cookies"; private static final String SHIRO_WEB_DISABLE_PRINCIPAL_PARAM = "org.apache.shiro.web.disable-principal"; public static boolean isShiroEEDisabled(ServletContext ctx) { return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_EE_DISABLED_PARAM)); } - public static boolean isFormResumbitDisabled(ServletContext ctx) { + public static boolean isFormResubmitDisabled(ServletContext ctx) { return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_DISABLED_PARAM)); } + public static boolean isFormResubmitSecureCookies(ServletContext ctx) { + return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_SECURE_COOKIES)); + } + public static boolean isServletNoPrincipal(ServletContext ctx) { return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM)); } @@ -49,6 +54,15 @@ public void contextInitialized(ServletContextEvent sce) { if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_EE_DISABLED_PARAM))) { sce.getServletContext().setAttribute(SHIRO_EE_DISABLED_PARAM, Boolean.TRUE); } + if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(FORM_RESUBMIT_DISABLED_PARAM))) { + sce.getServletContext().setAttribute(FORM_RESUBMIT_DISABLED_PARAM, Boolean.TRUE); + } + String secureCookiesStr = sce.getServletContext().getInitParameter(FORM_RESUBMIT_SECURE_COOKIES); + if (secureCookiesStr == null || Boolean.parseBoolean(secureCookiesStr)) { + sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.TRUE); + } else { + sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.FALSE); + } if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM))) { sce.getServletContext().setAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM, Boolean.TRUE); }