com.adobe.cq.commerce.common.CookieUtil Maven / Gradle / Ivy
/*************************************************************************
*
* ADOBE CONFIDENTIAL
* __________________
*
* Copyright 2011 Adobe Systems Incorporated
* All Rights Reserved.
*
* NOTICE: All information contained herein is, and remains
* the property of Adobe Systems Incorporated and its suppliers,
* if any. The intellectual and technical concepts contained
* herein are proprietary to Adobe Systems Incorporated and its
* suppliers and are protected by trade secret or copyright law.
* Dissemination of this information or reproduction of this material
* is strictly forbidden unless prior written permission is obtained
* from Adobe Systems Incorporated.
**************************************************************************/
package com.adobe.cq.commerce.common;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* The CookieUtil helps in working with cookies on request/response objects.
*/
public class CookieUtil {
private static final String HTTP_HEADER_SET_COOKIE = "Set-Cookie";
private static final String URL_HOST_REGEX = "https?://([\\w\\d_\\.\\-]*)(:\\d+)?(/.*)?";
public static final String SESSION_COOKIE = "JSESSIONID";
public static final boolean HTTP_ONLY = true; // self-documenting value for the httpOnly parameter
/**
* Sets a cookie into the current response.
* @param request The current request.
* @param response The current response.
* @param name The cookie name.
* @param value The cookie value.
* @param maxAge The expiry (in seconds from now). Pass -1 for no expiry, 0 to remove the cookie immediately.
* @param httpOnly Indicates the cookie should be accessible only from the server.
*/
public static void setCookie(HttpServletRequest request, HttpServletResponse response, String name, String value,
int maxAge,
boolean httpOnly) {
/*
* The Servlet Spec 2.5 does not allow us to set the commonly used HttpOnly attribute
* on cookies (Servlet API 3.0 does) so we create the Set-Cookie header manually.
* See http://www.owasp.org/index.php/HttpOnly for information on the HttpOnly attribute.
*/
final StringBuilder header = new StringBuilder();
header.append(name).append("=").append(value);
final String contextPath = request.getContextPath();
final String cookiePath = (contextPath == null || contextPath.length() == 0) ? "/" : contextPath;
header.append("; Path=").append(cookiePath);
if (maxAge >= 0) {
header.append("; Max-Age=").append(maxAge);
}
if (httpOnly) {
header.append("; HttpOnly");
}
// Always set the secure flag from an https request
if (request.isSecure()) {
header.append("; Secure");
}
response.addHeader(HTTP_HEADER_SET_COOKIE, header.toString());
}
/**
* Extracts the host from a given URL. This utility method can be used for creating cookies to be set on requests
* to a remote server.
* @param url A URL
* @return Host part of URL or null for an invalid URL.
*/
public static String hostFromUrl(String url) {
Matcher matcher = Pattern.compile(URL_HOST_REGEX).matcher(url);
if (matcher.matches()) {
return matcher.group(1);
}
return null;
}
/*
* ==================================================================================================
* Legacy support for Apache httpClient 3.x.
*
* For backwards-compatibility only. Apache httpClient 3.x has been EOLed and contains several
* security vulnerabilities:
*
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
* http://seclists.org/oss-sec/2013/q1/286
* ==================================================================================================
*/
/**
* Decodes and returns cookies with defined session prefix.
* @param request The request from which to read the cookies.
* @param prefix A name prefix filter.
* @return A List of cookies matching the prefix filter.
*
* @deprecated since 6.1; Apache httpClient 3.x has been EOLed and contains security vulnerabilities
*/
@Deprecated
public static List getSessionCookies(HttpServletRequest request, String prefix, String remoteHost) {
throw new UnsupportedOperationException("Method is deprecated and not supported any more");
}
/**
* Encodes and sets the provided cookies on the response.
* @param response The response to which the cookies are to be written.
* @param prefix A string to be prefixed to each cookie name.
* @param cookies The list of cookies.
*
* @deprecated since 6.1; Apache httpClient 3.x has been EOLed and contains security vulnerabilities
*/
@Deprecated
public static void setSessionCookies(HttpServletResponse response, String prefix, List cookies) {
throw new UnsupportedOperationException("Method is deprecated and not supported any more");
}
/**
* Checks if there are any session cookies in the HTTP method's response.
* @param method The executed HTTP method.
* @return true if response contains session cookies. false otherwise.
*
* @deprecated since 6.1; Apache httpClient 3.x has been EOLed and contains security vulnerabilities
*/
@Deprecated
public static boolean hasUpdatedSessionCookies(org.apache.commons.httpclient.HttpMethod method) {
throw new UnsupportedOperationException("Method is deprecated and not supported any more");
}
/**
* Checks to see if there is a session cookie in the list.
* @param cookies The list of cookies.
* @return true if cookies contains a session cookie.
*
* @deprecated since 6.1; Apache httpClient 3.x has been EOLed and contains security vulnerabilities
*/
@Deprecated
public static boolean hasSessionCookie(List cookies) {
throw new UnsupportedOperationException("Method is deprecated and not supported any more");
}
}