Package com.day.crx.security.token
Class TokenCookie
- java.lang.Object
-
- com.day.crx.security.token.TokenCookie
-
public class TokenCookie extends java.lang.ObjectTokenCookieprovides methods to read and manipulate the value of a token cookie.The TokenCookie value is extracted from a request as follows:
- If a Cookie named
NAMEis present, its value is used - If a request parameter named
PARAM_NAMEis present, its first value is used
The value has the following format:
value := info ( ";" info )* . info := [ repoid ":" ] workspace ":" token . repoid := CRXClusterId | RepositorySystemId | RequestPort .
- If a Cookie named
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classTokenCookie.Infoholds a token / workspace pair
-
Field Summary
Fields Modifier and Type Field Description static java.lang.StringATTR_NAMEname of the request attributestatic java.lang.StringNAMEName of the cookie that provides the login token.static java.lang.StringPARAM_NAMEName of the request header optionally providing the token cookie value instead of the HTTP Cookie.static java.lang.StringSAMESITE_ATTR_LAXThe value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.static java.lang.StringSAMESITE_ATTR_NONEThe value indicating that the cookie will be sent with same-site and cross-site requests.static java.lang.StringSAMESITE_ATTR_PARTITIONEDThe value indicating that the cookie will be sent with same-site and cross-site requests, partitioned.static java.lang.StringSAMESITE_ATTR_STRICTThe value indicating that the cookie will only be sent along with "same-site" requests.
-
Constructor Summary
Constructors Constructor Description TokenCookie()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static TokenCookiefromRequest(javax.servlet.http.HttpServletRequest request)Returns the cookie from the request.static TokenCookiefromString(java.lang.String value)Decodes a token cookie value.static java.lang.StringgetCookie(javax.servlet.http.HttpServletRequest request, java.lang.String name)Retrieves the cookie with the given name from the requestjava.util.Map<java.lang.String,TokenCookie.Info>getInfos()static java.lang.StringgetPort(javax.servlet.http.HttpServletRequest request)Returns the port form the host header.static TokenCookie.InfogetTokenInfo(javax.servlet.http.HttpServletRequest request)Deprecated.usegetTokenInfo(HttpServletRequest, String)insteadstatic TokenCookie.InfogetTokenInfo(javax.servlet.http.HttpServletRequest request, java.lang.String repoId)Returns theTokenCookie.Infofrom the request for the given repository ID.booleanremove(java.lang.String repoId)Removes the info with the specified repository IDstatic voidsetCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path)Deprecated.static voidsetCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure)Sets a cookie to the responsestatic voidsetCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure, java.lang.String sameSiteCookieAttribute)Sets a cookie to the responsejava.lang.StringtoString()Returns the string representation of this token cookie.static voidupdate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String token, java.lang.String wsp)Deprecated.static voidupdate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly)Updates the token cookie and sets the response cookie accordingly.static voidupdate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly, java.lang.String sameSiteCookieAttribute)Updates the token cookie and sets the response cookie accordingly.
-
-
-
Field Detail
-
NAME
public static final java.lang.String NAME
Name of the cookie that provides the login token.- See Also:
- Constant Field Values
-
SAMESITE_ATTR_STRICT
public static final java.lang.String SAMESITE_ATTR_STRICT
The value indicating that the cookie will only be sent along with "same-site" requests.- See Also:
- Constant Field Values
-
SAMESITE_ATTR_LAX
public static final java.lang.String SAMESITE_ATTR_LAX
The value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.- See Also:
- Constant Field Values
-
SAMESITE_ATTR_NONE
public static final java.lang.String SAMESITE_ATTR_NONE
The value indicating that the cookie will be sent with same-site and cross-site requests.- See Also:
- Constant Field Values
-
SAMESITE_ATTR_PARTITIONED
public static final java.lang.String SAMESITE_ATTR_PARTITIONED
The value indicating that the cookie will be sent with same-site and cross-site requests, partitioned.- See Also:
- Constant Field Values
-
PARAM_NAME
public static final java.lang.String PARAM_NAME
Name of the request header optionally providing the token cookie value instead of the HTTP Cookie.- Since:
- 1.0.2 (Bundle version 2.2.0.2)
- See Also:
- Constant Field Values
-
ATTR_NAME
public static final java.lang.String ATTR_NAME
name of the request attribute
-
-
Method Detail
-
getInfos
public java.util.Map<java.lang.String,TokenCookie.Info> getInfos()
-
fromRequest
public static TokenCookie fromRequest(javax.servlet.http.HttpServletRequest request)
Returns the cookie from the request. First checks if decoded cookie is already present as request attribute and reads if from the request cookies if needed.- Parameters:
request- servlet request- Returns:
- a token cookie.
-
getTokenInfo
@Deprecated public static TokenCookie.Info getTokenInfo(javax.servlet.http.HttpServletRequest request)
Deprecated.usegetTokenInfo(HttpServletRequest, String)insteadReturns the token info for the given request, respecting the port specified in the host header.This implementation calls the
getTokenInfo(HttpServletRequest, String)method using the request port as returned fromgetPort(HttpServletRequest)as the repository ID.- Parameters:
request- the request- Returns:
- the info or
TokenCookie.Info.INVALID
-
getTokenInfo
public static TokenCookie.Info getTokenInfo(javax.servlet.http.HttpServletRequest request, java.lang.String repoId)
Returns theTokenCookie.Infofrom the request for the given repository ID.- Parameters:
request- The request to extract theTokenCookie.InfofromrepoId- The repository ID identifying the actualTokenCookie.Infoinstance from theTokenCookie. This must not benull.- Returns:
- the info or
TokenCookie.Info.INVALIDif noTokenCookie.Infois available for the given repository ID
-
getPort
public static java.lang.String getPort(javax.servlet.http.HttpServletRequest request)
Returns the port form the host header.- Parameters:
request- request- Returns:
- the port.
-
update
@Deprecated public static void update(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String token, java.lang.String wsp)Deprecated.Updates the token cookie and sets the response cookie accordingly. iftokenisnull, the token information is removed.This implementation calls the
update(HttpServletRequest, HttpServletResponse, String, String, String, boolean)with the repository ID set to the request's port as returned from #getport and not setting theHttpOnlycookie flag.- Parameters:
request- servlet requestresponse- servlet responsetoken- tokenwsp- workspace
-
update
public static void update(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly)Updates the token cookie and sets the response cookie accordingly. iftokenisnull, the token information is removed.This implementation calls the
update(HttpServletRequest, HttpServletResponse, String, String, String, boolean, String)with thesameSiteCookieAttributeset as the configurationtoken.samesite.cookie.attr- Parameters:
request- The request object providing the original token Cookie to be updated by this method.response- The response object used to set the cookie onrepoId- The repository ID identifying theTokenCookie.Infowhose token value should be updated or removed.token- The actual token ornullto remove theTokenCookie.Infofor the repository ID from the cookie.wsp- The workspace which the token is mainly used to access. Ignored iftokenisnull.isHttpOnly- Whether or not to set theHttpOnlyattribute on the cookie. For security reasons it is recommended to always set this parameter totrue. The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.
-
update
public static void update(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly, java.lang.String sameSiteCookieAttribute)Updates the token cookie and sets the response cookie accordingly. iftokenisnull, the token information is removed.- Parameters:
request- The request object providing the original token Cookie to be updated by this method.response- The response object used to set the cookie onrepoId- The repository ID identifying theTokenCookie.Infowhose token value should be updated or removed.token- The actual token ornullto remove theTokenCookie.Infofor the repository ID from the cookie.wsp- The workspace which the token is mainly used to access. Ignored iftokenisnull.isHttpOnly- Whether or not to set theHttpOnlyattribute on the cookie. For security reasons it is recommended to always set this parameter totrue. The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.sameSiteCookieAttribute- The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values areSAMESITE_ATTR_STRICT,SAMESITE_ATTR_LAXandSAMESITE_ATTR_NONE.
-
fromString
public static TokenCookie fromString(java.lang.String value)
Decodes a token cookie value.This is the reverse operation to the
toString()method.- Parameters:
value- cookie value- Returns:
- a token cookie
-
remove
public boolean remove(java.lang.String repoId)
Removes the info with the specified repository ID- Parameters:
repoId- The repository ID whoseTokenCookie.Infohas to be removed- Returns:
trueif anTokenCookie.Infoobject for the repository ID existed and is now removed.
-
toString
public java.lang.String toString()
Returns the string representation of this token cookie. The value returned by this method can be decoded with thefromString(String)method.- Overrides:
toStringin classjava.lang.Object- Returns:
- the string
-
getCookie
public static java.lang.String getCookie(javax.servlet.http.HttpServletRequest request, java.lang.String name)Retrieves the cookie with the given name from the request- Parameters:
request- servlet requestname- the name- Returns:
- the cookie value or
nullif no cookie with the given name exists whose value is not empty.
-
setCookie
@Deprecated public static void setCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path)Deprecated.Sets a cookie to the response- Parameters:
response- responsename- cookie namevalue- valuemaxAge- maxAgepath- path
-
setCookie
public static void setCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure)Sets a cookie to the responseThis implementation calls the
setCookie(HttpServletResponse, String, String, int, String,String, boolean, boolean, String)with thesameSiteCookieAttributeset as the configurationtoken.samesite.cookie.attr- Parameters:
response- responsename- cookie namevalue- valuemaxAge- maxAgepath- pathdomain- The cookie domain ornullto not set an explicit domain on the cookie.isHttpOnly- Whether to set (true) or not theHttpOnlyattribute on the cookie. It is not recommended to set this parameter tofalseunless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.isSecure- Whether to set (true) or not theSecureattribute on the cookie. The value for this parameter should be derived from the current request, namely theServletRequest.isSecure()method.
-
setCookie
public static void setCookie(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure, java.lang.String sameSiteCookieAttribute)Sets a cookie to the response- Parameters:
response- responsename- cookie namevalue- valuemaxAge- maxAgepath- pathdomain- The cookie domain ornullto not set an explicit domain on the cookie.isHttpOnly- Whether to set (true) or not theHttpOnlyattribute on the cookie. It is not recommended to set this parameter tofalseunless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.isSecure- Whether to set (true) or not theSecureattribute on the cookie. The value for this parameter should be derived from the current request, namely theServletRequest.isSecure()method.sameSiteCookieAttribute- The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values areSAMESITE_ATTR_STRICT,SAMESITE_ATTR_LAXandSAMESITE_ATTR_NONEornullto not set an explicit value for the SameSite attribute.
-
-