[#1079] - bugfix: make sure form resubmit cookie is secure

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/AuthenticationFilterDelegate.java

@@ -22,7 +22,7 @@
 import org.apache.shiro.ee.filters.Forms.FallbackPredicate;
 import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME;
 import static org.apache.shiro.ee.filters.LogoutFilter.YES_PREDICATE;
-import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
+import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 import javax.servlet.ServletRequest;
@@ -102,7 +102,7 @@ public boolean isAccessAllowed(ServletRequest request, ServletResponse response,
      * @throws IOException
      */
     public void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
-        if (request instanceof HttpServletRequest && !isFormResumbitDisabled(request.getServletContext())) {
+        if (request instanceof HttpServletRequest && !isFormResubmitDisabled(request.getServletContext())) {
             savePostDataForResubmit(WebUtils.toHttp(request), WebUtils.toHttp(response),
                     methods.getLoginUrl());
         }

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java

@@ -33,7 +33,7 @@
 import org.apache.shiro.ee.filters.Forms.FallbackPredicate;
 import org.apache.shiro.ee.filters.ShiroFilter.WrappedSecurityManager;
 import static org.apache.shiro.ee.filters.FormResubmitSupportCookies.transformCookieHeader;
-import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
+import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
 import java.io.IOException;
 import java.net.CookieManager;
 import java.net.HttpCookie;
@@ -233,7 +233,7 @@ static String getReferer(HttpServletRequest request) {
 
     /**
      * Redirects the user to saved request after login, if available
-     * Resumbits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms
+     * Resubmits the form that caused the logout upon successfull login.Form resumnission supports JSF and Ajax forms
      * @param request
      * @param response
      * @param useFallbackPath predicate whether to use fall back path
@@ -263,7 +263,7 @@ static void redirectToSaved(HttpServletRequest request, HttpServletResponse resp
     static void redirectToSaved(HttpServletRequest request, HttpServletResponse response,
             FallbackPredicate useFallbackPath, String fallbackPath) {
         redirectToSaved(request, response, useFallbackPath, fallbackPath,
-                !isFormResumbitDisabled(request.getServletContext()));
+                !isFormResubmitDisabled(request.getServletContext()));
     }
 
 

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java

@@ -29,6 +29,7 @@
 import lombok.NoArgsConstructor;
 import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.shiro.ee.listeners.EnvironmentLoaderListener;
 import static org.apache.shiro.web.servlet.ShiroHttpSession.DEFAULT_SESSION_ID_NAME;
 
 /**
@@ -41,18 +42,24 @@ public class FormResubmitSupportCookies {
     static final String DONT_ADD_ANY_MORE_COOKIES = "org.apache.shiro.no-more-cookies";
 
     static void addCookie(@NonNull HttpServletResponse response, ServletContext servletContext,
-            @NonNull String cokieName, @NonNull String cookieValue, int maxAge) {
-        var cookie = new Cookie(cokieName, cookieValue);
+            @NonNull String cookieName, @NonNull String cookieValue, int maxAge) {
+        var cookie = new Cookie(cookieName, cookieValue);
         cookie.setPath(servletContext.getContextPath());
         cookie.setMaxAge(maxAge);
+        if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) {
+            cookie.setSecure(true);
+        }
         response.addCookie(cookie);
     }
 
     static void deleteCookie(@NonNull HttpServletResponse response, ServletContext servletContext,
-            @NonNull String cokieName) {
-        var cookieToDelete = new Cookie(cokieName, "tbd");
+            @NonNull String cookieName) {
+        var cookieToDelete = new Cookie(cookieName, "tbd");
         cookieToDelete.setPath(servletContext.getContextPath());
         cookieToDelete.setMaxAge(0);
+        if (EnvironmentLoaderListener.isFormResubmitSecureCookies(servletContext)) {
+            cookieToDelete.setSecure(true);
+        }
         response.addCookie(cookieToDelete);
     }
 

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java

@@ -18,7 +18,7 @@
 import static org.apache.shiro.ee.filters.FormResubmitSupport.FORM_IS_RESUBMITTED;
 import static org.apache.shiro.ee.filters.FormResubmitSupport.SESSION_EXPIRED_PARAMETER;
 import static org.apache.shiro.ee.filters.LogoutFilter.LOGOUT_PREDICATE_ATTR_NAME;
-import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResumbitDisabled;
+import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isFormResubmitDisabled;
 import java.util.concurrent.TimeUnit;
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Named;
@@ -130,7 +130,7 @@ public interface FallbackPredicate {
      */
     public static void redirectToSaved(FallbackPredicate useFallbackPath, String fallbackPath) {
         FormResubmitSupport.redirectToSaved(Faces.getRequest(), Faces.getResponse(), useFallbackPath, fallbackPath,
-                !isFormResumbitDisabled(Faces.getRequest().getServletContext()));
+                !isFormResubmitDisabled(Faces.getRequest().getServletContext()));
     }
 
     /**

support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java

@@ -30,16 +30,21 @@
 public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {
     private static final String SHIRO_EE_DISABLED_PARAM = "org.apache.shiro.ee.disabled";
     private static final String FORM_RESUBMIT_DISABLED_PARAM = "org.apache.shiro.form-resubmit.disabled";
+    private static final String FORM_RESUBMIT_SECURE_COOKIES = "org.apache.shiro.form-resubmit.secure-cookies";
     private static final String SHIRO_WEB_DISABLE_PRINCIPAL_PARAM = "org.apache.shiro.web.disable-principal";
 
     public static boolean isShiroEEDisabled(ServletContext ctx) {
         return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_EE_DISABLED_PARAM));
     }
 
-    public static boolean isFormResumbitDisabled(ServletContext ctx) {
+    public static boolean isFormResubmitDisabled(ServletContext ctx) {
         return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_DISABLED_PARAM));
     }
 
+    public static boolean isFormResubmitSecureCookies(ServletContext ctx) {
+        return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_SECURE_COOKIES));
+    }
+
     public static boolean isServletNoPrincipal(ServletContext ctx) {
         return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM));
     }
@@ -49,6 +54,15 @@ public void contextInitialized(ServletContextEvent sce) {
         if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_EE_DISABLED_PARAM))) {
             sce.getServletContext().setAttribute(SHIRO_EE_DISABLED_PARAM, Boolean.TRUE);
         }
+        if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(FORM_RESUBMIT_DISABLED_PARAM))) {
+            sce.getServletContext().setAttribute(FORM_RESUBMIT_DISABLED_PARAM, Boolean.TRUE);
+        }
+        String secureCookiesStr = sce.getServletContext().getInitParameter(FORM_RESUBMIT_SECURE_COOKIES);
+        if (secureCookiesStr == null || Boolean.parseBoolean(secureCookiesStr)) {
+            sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.TRUE);
+        } else {
+            sce.getServletContext().setAttribute(FORM_RESUBMIT_SECURE_COOKIES, Boolean.FALSE);
+        }
         if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM))) {
             sce.getServletContext().setAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM, Boolean.TRUE);
         }