ApplicationSessionCookieConfig.java
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.core;
import java.util.Collections;
import java.util.Map;
import java.util.TreeMap;
import jakarta.servlet.SessionCookieConfig;
import jakarta.servlet.http.Cookie;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.util.SessionConfig;
import org.apache.tomcat.util.descriptor.web.Constants;
import org.apache.tomcat.util.res.StringManager;
public class ApplicationSessionCookieConfig implements SessionCookieConfig {
/**
* The string manager for this package.
*/
private static final StringManager sm = StringManager.getManager(ApplicationSessionCookieConfig.class);
private static final int DEFAULT_MAX_AGE = -1;
private static final boolean DEFAULT_HTTP_ONLY = false;
private static final boolean DEFAULT_SECURE = false;
private final Map<String,String> attributes = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
private String name;
private StandardContext context;
public ApplicationSessionCookieConfig(StandardContext context) {
this.context = context;
}
@Override
public String getComment() {
return null;
}
@Override
public String getDomain() {
return getAttribute(Constants.COOKIE_DOMAIN_ATTR);
}
@Override
public int getMaxAge() {
String maxAge = getAttribute(Constants.COOKIE_MAX_AGE_ATTR);
if (maxAge == null) {
return DEFAULT_MAX_AGE;
}
return Integer.parseInt(maxAge);
}
@Override
public String getName() {
return name;
}
@Override
public String getPath() {
return getAttribute(Constants.COOKIE_PATH_ATTR);
}
@Override
public boolean isHttpOnly() {
String httpOnly = getAttribute(Constants.COOKIE_HTTP_ONLY_ATTR);
if (httpOnly == null) {
return DEFAULT_HTTP_ONLY;
}
return Boolean.parseBoolean(httpOnly);
}
@Override
public boolean isSecure() {
String secure = getAttribute(Constants.COOKIE_SECURE_ATTR);
if (secure == null) {
return DEFAULT_SECURE;
}
return Boolean.parseBoolean(secure);
}
@Override
public void setComment(String comment) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "comment", context.getPath()));
}
}
@Override
public void setDomain(String domain) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "domain name", context.getPath()));
}
setAttribute(Constants.COOKIE_DOMAIN_ATTR, domain);
}
@Override
public void setHttpOnly(boolean httpOnly) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "HttpOnly", context.getPath()));
}
setAttribute(Constants.COOKIE_HTTP_ONLY_ATTR, Boolean.toString(httpOnly));
}
@Override
public void setMaxAge(int maxAge) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "max age", context.getPath()));
}
setAttribute(Constants.COOKIE_MAX_AGE_ATTR, Integer.toString(maxAge));
}
@Override
public void setName(String name) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "name", context.getPath()));
}
this.name = name;
}
@Override
public void setPath(String path) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "path", context.getPath()));
}
setAttribute(Constants.COOKIE_PATH_ATTR, path);
}
@Override
public void setSecure(boolean secure) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", "secure", context.getPath()));
}
setAttribute(Constants.COOKIE_SECURE_ATTR, Boolean.toString(secure));
}
@Override
public void setAttribute(String name, String value) {
if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
throw new IllegalStateException(
sm.getString("applicationSessionCookieConfig.ise", name, context.getPath()));
}
attributes.put(name, value);
}
@Override
public String getAttribute(String name) {
return attributes.get(name);
}
@Override
public Map<String,String> getAttributes() {
return Collections.unmodifiableMap(attributes);
}
/**
* Creates a new session cookie for the given session ID
*
* @param context The Context for the web application
* @param sessionId The ID of the session for which the cookie will be created
* @param secure Should session cookie be configured as secure
*
* @return the cookie for the session
*/
public static Cookie createSessionCookie(Context context, String sessionId, boolean secure) {
SessionCookieConfig scc = context.getServletContext().getSessionCookieConfig();
// NOTE: The priority order for session cookie configuration is:
// 1. Context level configuration
// 2. Values from SessionCookieConfig
// 3. Defaults
Cookie cookie = new Cookie(SessionConfig.getSessionCookieName(context), sessionId);
// Just apply the defaults.
cookie.setMaxAge(scc.getMaxAge());
if (context.getSessionCookieDomain() == null) {
// Avoid possible NPE
if (scc.getDomain() != null) {
cookie.setDomain(scc.getDomain());
}
} else {
cookie.setDomain(context.getSessionCookieDomain());
}
// Always set secure if the request is secure
if (scc.isSecure() || secure) {
cookie.setSecure(true);
}
// Always set httpOnly if the context is configured for that
if (scc.isHttpOnly() || context.getUseHttpOnly()) {
cookie.setHttpOnly(true);
}
cookie.setAttribute(Constants.COOKIE_PARTITIONED_ATTR,
Boolean.toString(context.getUsePartitioned()));
cookie.setPath(SessionConfig.getSessionCookiePath(context));
// Other attributes
for (Map.Entry<String,String> attribute : scc.getAttributes().entrySet()) {
switch (attribute.getKey()) {
case Constants.COOKIE_COMMENT_ATTR:
case Constants.COOKIE_DOMAIN_ATTR:
case Constants.COOKIE_MAX_AGE_ATTR:
case Constants.COOKIE_PATH_ATTR:
case Constants.COOKIE_SECURE_ATTR:
case Constants.COOKIE_HTTP_ONLY_ATTR:
// Handled above so NO-OP
break;
default: {
cookie.setAttribute(attribute.getKey(), attribute.getValue());
}
}
}
return cookie;
}
}