|
| 1 | +/* |
| 2 | + * CDDL HEADER START |
| 3 | + * |
| 4 | + * The contents of this file are subject to the terms of the |
| 5 | + * Common Development and Distribution License (the "License"). |
| 6 | + * You may not use this file except in compliance with the License. |
| 7 | + * |
| 8 | + * See LICENSE.txt included in this distribution for the specific |
| 9 | + * language governing permissions and limitations under the License. |
| 10 | + * |
| 11 | + * When distributing Covered Code, include this CDDL HEADER in each |
| 12 | + * file and include the License file at LICENSE.txt. |
| 13 | + * If applicable, add the following below this CDDL HEADER, with the |
| 14 | + * fields enclosed by brackets "[]" replaced with your own identifying |
| 15 | + * information: Portions Copyright [yyyy] [name of copyright owner] |
| 16 | + * |
| 17 | + * CDDL HEADER END |
| 18 | + */ |
| 19 | + |
| 20 | +/* |
| 21 | + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. |
| 22 | + */ |
| 23 | +package org.opengrok.web; |
| 24 | + |
| 25 | +import javax.servlet.Filter; |
| 26 | +import javax.servlet.FilterChain; |
| 27 | +import javax.servlet.FilterConfig; |
| 28 | +import javax.servlet.ServletException; |
| 29 | +import javax.servlet.ServletRequest; |
| 30 | +import javax.servlet.ServletResponse; |
| 31 | +import javax.servlet.http.HttpServletResponse; |
| 32 | +import javax.ws.rs.core.HttpHeaders; |
| 33 | +import java.io.IOException; |
| 34 | +import java.util.Collection; |
| 35 | +import java.util.Enumeration; |
| 36 | + |
| 37 | +/** |
| 38 | + * Makes sure that all cookies originating from the web application have the Same-site attribute set. |
| 39 | + */ |
| 40 | +public class CookieFilter implements Filter { |
| 41 | + private FilterConfig fc; |
| 42 | + |
| 43 | + @Override |
| 44 | + public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) |
| 45 | + throws IOException, ServletException { |
| 46 | + |
| 47 | + HttpServletResponse response = (HttpServletResponse) res; |
| 48 | + |
| 49 | + chain.doFilter(req, response); |
| 50 | + |
| 51 | + // Change the existing cookies to use the attributes and values from the configuration. |
| 52 | + Collection<String> headers = response.getHeaders(HttpHeaders.SET_COOKIE); |
| 53 | + boolean firstHeader = true; |
| 54 | + for (String header : headers) { // there can be multiple Set-Cookie attributes |
| 55 | + if (firstHeader) { |
| 56 | + response.setHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, getSuffix())); |
| 57 | + firstHeader = false; |
| 58 | + continue; |
| 59 | + } |
| 60 | + response.addHeader(HttpHeaders.SET_COOKIE, String.format("%s; %s", header, getSuffix())); |
| 61 | + } |
| 62 | + } |
| 63 | + |
| 64 | + private String getSuffix() { |
| 65 | + StringBuilder sb = new StringBuilder(); |
| 66 | + |
| 67 | + for (Enumeration<String> e = fc.getInitParameterNames(); e.hasMoreElements();) { |
| 68 | + String attributeName = e.nextElement(); |
| 69 | + if (sb.length() > 0) { |
| 70 | + sb.append("; "); |
| 71 | + } |
| 72 | + sb.append(attributeName); |
| 73 | + String attributeValue = fc.getInitParameter(attributeName); |
| 74 | + if (!attributeValue.isEmpty()) { |
| 75 | + sb.append("="); |
| 76 | + sb.append(attributeValue); |
| 77 | + } |
| 78 | + } |
| 79 | + return sb.toString(); |
| 80 | + } |
| 81 | + |
| 82 | + @Override |
| 83 | + public void init(FilterConfig filterConfig) { |
| 84 | + this.fc = filterConfig; |
| 85 | + } |
| 86 | + |
| 87 | + @Override |
| 88 | + public void destroy() { |
| 89 | + // pass |
| 90 | + } |
| 91 | +} |
0 commit comments