List of usage examples for javax.servlet.http Cookie setHttpOnly
public void setHttpOnly(boolean isHttpOnly)
From source file:gr.abiss.calipso.userDetails.util.SecurityUtil.java
/** * Writes a cookie to the response. In case of a blank value the method will * set the max age to zero, effectively marking the cookie for immediate * deletion by the client if the <code>allowClear</code> is true or throw an exception if false. * Blank value strings mark cookie deletion. If * @param response/*from w w w . ja v a2 s . co m*/ * @param cookieName * @param cookieValue * @param allowClear */ private static void addCookie(HttpServletRequest request, HttpServletResponse response, String cookieName, String cookieValue, boolean allowClear, UserDetailsConfig userDetailsConfig) { if (StringUtils.isBlank(cookieValue) && !allowClear) { throw new RuntimeException( "Was given a blank cookie value but allowClear is false for cookie name: " + cookieName); } if (LOGGER.isDebugEnabled()) { LOGGER.debug("addCookie, cookieName: " + cookieName + ", cookie value: " + cookieValue + ", domain: " + userDetailsConfig.getCookiesDomain() + ", secure: " + userDetailsConfig.isCookiesSecure() + ", http-only: " + userDetailsConfig.isCookiesHttpOnly() + ", path: " + userDetailsConfig.getCookiesContextPath()); } Cookie cookie = new Cookie(cookieName, cookieValue); // set the cookie domain if (StringUtils.isNotBlank(userDetailsConfig.getCookiesDomain())) { cookie.setDomain('.' + userDetailsConfig.getCookiesDomain()); } // maybe not a good idea unless you can trust the proxy // else if (StringUtils.isNotBlank(request.getHeader("X-Forwarded-Host"))) { // cookie.setDomain('.' + request.getHeader("X-Forwarded-Host")); // } // else{ // cookie.setDomain('.' + request.getLocalName()); // // } // set the cookie path if (StringUtils.isNotBlank(userDetailsConfig.getCookiesContextPath())) { cookie.setPath(userDetailsConfig.getCookiesContextPath()); } // else { // cookie.setPath("/"); // } cookie.setSecure(userDetailsConfig.isCookiesSecure()); cookie.setHttpOnly(userDetailsConfig.isCookiesHttpOnly()); if (StringUtils.isBlank(cookieValue)) { if (LOGGER.isDebugEnabled()) { LOGGER.debug("addCookie, setting max-age to 0 to clear cookie: " + cookieName); } cookie.setMaxAge(0); } response.addCookie(cookie); }
From source file:org.sonar.server.authentication.CsrfVerifier.java
public String generateState(HttpServletResponse response) { // Create a state token to prevent request forgery. // Store it in the session for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); Cookie cookie = new Cookie(CSRF_STATE_COOKIE, sha256Hex(state)); cookie.setPath("/"); cookie.setHttpOnly(true); cookie.setMaxAge(-1);//www.ja v a2 s . c o m cookie.setSecure(server.isSecured()); response.addCookie(cookie); return state; }
From source file:io.mapzone.controller.vm.http.LoginProvision.java
protected void registerUser(String userId, @SuppressWarnings("hiding") HttpServletResponse response) { // cookie token byte[] bytes = new byte[8]; rand.nextBytes(bytes);//from ww w . ja v a2 s . co m String token = Base64.encodeBase64URLSafeString(bytes); // FIXME Leak: entries are never removed (allow just one cookie/session per user?) if (loggedIn.putIfAbsent(token, userId) != null) { throw new IllegalStateException("Token already exists: " + token); } // set cookie Cookie newCookie = new Cookie(COOKIE_NAME, token); newCookie.setHttpOnly(true); newCookie.setPath(COOKIE_PATH); newCookie.setSecure(false); // XXX newCookie.setMaxAge(COOKIE_MAX_AGE); response.addCookie(newCookie); }
From source file:org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.java
/** * @param req//from w w w. j ava2 s . com * @param resp * @param id * @param age */ public static void storeAuthCookie(HttpServletRequest req, HttpServletResponse resp, String id, Integer age) { Cookie authCookie = new Cookie(FrameworkConstants.COMMONAUTH_COOKIE, id); authCookie.setSecure(true); authCookie.setHttpOnly(true); if (age != null) { authCookie.setMaxAge(age.intValue() * 60); } resp.addCookie(authCookie); }
From source file:org.ohmage.request.auth.AuthTokenLogoutRequest.java
@Override public void respond(HttpServletRequest httpRequest, HttpServletResponse httpResponse) { LOGGER.info("Responding to the logout request."); if (getUser() != null) { final String token = getUser().getToken(); if (token != null) { Cookie authTokenCookie = new Cookie(InputKeys.AUTH_TOKEN, token); authTokenCookie.setHttpOnly(false); authTokenCookie.setMaxAge(0); authTokenCookie.setPath("/"); httpResponse.addCookie(authTokenCookie); }/* w w w.ja v a 2 s. co m*/ UserBin.expireUser(token); } JSONObject response = new JSONObject(); try { response.put(JSON_KEY_METADATA, JSONObject.NULL); response.put(JSON_KEY_DATA, JSONObject.NULL); } catch (JSONException e) { LOGGER.error("There was an error building the response.", e); setFailed(); } super.respond(httpRequest, httpResponse, response); }
From source file:fr.gael.dhus.spring.security.handler.LoginSuccessHandler.java
@Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { String name = authentication.getName(); try {//from ww w.ja va 2s . c o m ValidityAuthentication auth = (ValidityAuthentication) authentication; name = EncryptPassword.encrypt(name, PasswordEncryption.MD5); Cookie authCookie = new Cookie(CookieKey.AUTHENTICATION_COOKIE_NAME, name); authCookie.setPath("/"); authCookie.setHttpOnly(true); authCookie.setMaxAge(-1); String validity = auth.getValidity(); // Cookie validityCookie = new Cookie (CookieKey.VALIDITY_COOKIE_NAME, // validity); // validityCookie.setPath ("/"); // validityCookie.setHttpOnly (true); String integrity = EncryptPassword.encrypt(name + validity, PasswordEncryption.SHA1); Cookie integrityCookie = new Cookie(CookieKey.INTEGRITY_COOKIE_NAME, integrity); integrityCookie.setPath("/"); integrityCookie.setHttpOnly(true); integrityCookie.setMaxAge(-1); response.addCookie(authCookie); // response.addCookie (validityCookie); response.addCookie(integrityCookie); request.getSession().setAttribute("integrity", integrity); SecurityContextProvider.saveSecurityContext(integrity, SecurityContextHolder.getContext()); } catch (Exception e) { LOGGER.warn("Authentication process failed ! No cookie was generated", e); } }
From source file:net.prasenjit.auth.config.CustomAjaxAwareHandler.java
/** {@inheritDoc} */ @Override// w w w . jav a 2 s. co m public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { request.setAttribute("javax.servlet.error.status_code", HttpServletResponse.SC_FORBIDDEN); request.setAttribute("org.springframework.boot.autoconfigure.web.DefaultErrorAttributes.ERROR", accessDeniedException); if (accessDeniedException instanceof CsrfException && !response.isCommitted()) { // Remove the session cookie so that client knows it's time to obtain a new CSRF token String pCookieName = "CSRF-TOKEN"; Cookie cookie = new Cookie(pCookieName, ""); cookie.setMaxAge(0); cookie.setHttpOnly(false); cookie.setPath("/"); response.addCookie(cookie); } delegatedAccessDeniedHandler.handle(request, response, accessDeniedException); }
From source file:de.sainth.recipe.backend.security.AuthFilter.java
private Cookie createCookie(RecipeManagerAuthenticationToken authentication, boolean secure) { String newToken = Jwts.builder() // .compressWith(new GzipCompressionCodec()) .setSubject(authentication.getPrincipal().toString()) .setExpiration(/* w w w . j a va 2 s. com*/ Date.from(LocalDateTime.now().plusMinutes(30).atZone(ZoneId.systemDefault()).toInstant())) .claim(TOKEN_ROLE, authentication.getAuthorities().get(0).getAuthority()).setIssuedAt(new Date()) .signWith(SignatureAlgorithm.HS256, key).compact(); Cookie cookie = new Cookie(COOKIE_NAME, newToken); cookie.setSecure(secure); cookie.setHttpOnly(true); cookie.setMaxAge(30 * 60); return cookie; }
From source file:es.logongas.ix3.web.security.impl.WebSessionSidStorageImplAbstractJws.java
@Override public void deleteSid(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { Cookie cookie = new Cookie(jwsCookieName, ""); cookie.setHttpOnly(false); cookie.setPath(httpServletRequest.getContextPath() + "/"); httpServletResponse.addCookie(cookie); }
From source file:es.logongas.ix3.web.security.impl.WebSessionSidStorageImplAbstractJws.java
@Override public void setSid(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Serializable sid) {//from w ww .j a va 2 s . co m String payload = serialize(sid); String jwsCompact = jws.getJwsCompactSerialization(payload, getSecretKey(sid)); Cookie cookie = new Cookie(jwsCookieName, jwsCompact); cookie.setHttpOnly(false); cookie.setPath(httpServletRequest.getContextPath() + "/"); httpServletResponse.addCookie(cookie); }