com.day.crx.security.token

Class TokenCookie

java.lang.Object

com.day.crx.security.token.TokenCookie

public class TokenCookie
extends java.lang.Object

TokenCookie provides methods to read and manipulate the value of a token cookie.

The TokenCookie value is extracted from a request as follows:

1. If a Cookie named NAME is present, its value is used
2. If a request parameter named PARAM_NAME is present, its first value is used

The value has the following format:

 value  := info ( ";" info )* .
 info   := [ repoid ":" ] workspace ":" token .
 repoid := CRXClusterId | RepositorySystemId | RequestPort .
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	TokenCookie.Info holds a token / workspace pair

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	ATTR_NAME name of the request attribute
static java.lang.String	NAME Name of the cookie that provides the login token.
static java.lang.String	PARAM_NAME Name of the request header optionally providing the token cookie value instead of the HTTP Cookie.
static java.lang.String	SAMESITE_ATTR_LAX The value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.
static java.lang.String	SAMESITE_ATTR_NONE The value indicating that the cookie will be sent with same-site and cross-site requests.
static java.lang.String	SAMESITE_ATTR_STRICT The value indicating that the cookie will only be sent along with "same-site" requests.

Constructor Summary

Constructors

Constructor and Description
TokenCookie()

Method Summary

Modifier and Type	Method and Description
static TokenCookie	fromRequest(HttpServletRequest request) Returns the cookie from the request.
static TokenCookie	fromString(java.lang.String value) Decodes a token cookie value.
static java.lang.String	getCookie(HttpServletRequest request, java.lang.String name) Retrieves the cookie with the given name from the request
java.util.Map<java.lang.String,TokenCookie.Info>	getInfos()
static java.lang.String	getPort(HttpServletRequest request) Returns the port form the host header.
static TokenCookie.Info	getTokenInfo(HttpServletRequest request) Deprecated. use getTokenInfo(HttpServletRequest, String) instead
static TokenCookie.Info	getTokenInfo(HttpServletRequest request, java.lang.String repoId) Returns the TokenCookie.Info from the request for the given repository ID.
boolean	remove(java.lang.String repoId) Removes the info with the specified repository ID
static void	setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path) Deprecated. use setCookie(HttpServletResponse, String, String, int, String, String, boolean, boolean) instead
static void	setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure) Sets a cookie to the response
static void	setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure, java.lang.String sameSiteCookieAttribute) Sets a cookie to the response
java.lang.String	toString() Returns the string representation of this token cookie.
static void	update(HttpServletRequest request, HttpServletResponse response, java.lang.String token, java.lang.String wsp) Deprecated. use update(HttpServletRequest, HttpServletResponse, String, String, String, boolean) instead
static void	update(HttpServletRequest request, HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly) Updates the token cookie and sets the response cookie accordingly.
static void	update(HttpServletRequest request, HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly, java.lang.String sameSiteCookieAttribute) Updates the token cookie and sets the response cookie accordingly.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

NAME

public static final java.lang.String NAME

Name of the cookie that provides the login token.

See Also:

Constant Field Values

SAMESITE_ATTR_STRICT

public static final java.lang.String SAMESITE_ATTR_STRICT

The value indicating that the cookie will only be sent along with "same-site" requests.

See Also:

Constant Field Values

SAMESITE_ATTR_LAX

public static final java.lang.String SAMESITE_ATTR_LAX

The value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.

See Also:

Constant Field Values

SAMESITE_ATTR_NONE

public static final java.lang.String SAMESITE_ATTR_NONE

The value indicating that the cookie will be sent with same-site and cross-site requests.

See Also:

Constant Field Values

PARAM_NAME

public static final java.lang.String PARAM_NAME

Name of the request header optionally providing the token cookie value instead of the HTTP Cookie.

Since:

1.0.2 (Bundle version 2.2.0.2)

See Also:

Constant Field Values

ATTR_NAME

public static final java.lang.String ATTR_NAME

name of the request attribute

Constructor Detail

TokenCookie

public TokenCookie()

Method Detail

getInfos

public java.util.Map<java.lang.String,TokenCookie.Info> getInfos()

fromRequest

public static TokenCookie fromRequest(HttpServletRequest request)

Returns the cookie from the request. First checks if decoded cookie is already present as request attribute and reads if from the request cookies if needed.

Parameters:

request - servlet request

Returns:

a token cookie.

getTokenInfo

@Deprecated
public static TokenCookie.Info getTokenInfo(HttpServletRequest request)

Deprecated. use getTokenInfo(HttpServletRequest, String) instead

Returns the token info for the given request, respecting the port specified in the host header.

This implementation calls the getTokenInfo(HttpServletRequest, String) method using the request port as returned from getPort(HttpServletRequest) as the repository ID.

Parameters:

request - the request

Returns:

the info or TokenCookie.Info.INVALID

getTokenInfo

public static TokenCookie.Info getTokenInfo(HttpServletRequest request,
                                            java.lang.String repoId)

Returns the TokenCookie.Info from the request for the given repository ID.

Parameters:

request - The request to extract the TokenCookie.Info from

repoId - The repository ID identifying the actual TokenCookie.Info instance from the TokenCookie. This must not be null.

Returns:

the info or TokenCookie.Info.INVALID if no TokenCookie.Info is available for the given repository ID

getPort

public static java.lang.String getPort(HttpServletRequest request)

Returns the port form the host header.

Parameters:

request - request

Returns:

the port.

update

@Deprecated
public static void update(HttpServletRequest request,
                                      HttpServletResponse response,
                                      java.lang.String token,
                                      java.lang.String wsp)

Deprecated. use update(HttpServletRequest, HttpServletResponse, String, String, String, boolean) instead

Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

This implementation calls the update(HttpServletRequest, HttpServletResponse, String, String, String, boolean) with the repository ID set to the request's port as returned from #getport and not setting the HttpOnly cookie flag.

Parameters:

request - servlet request

response - servlet response

token - token

wsp - workspace

update

public static void update(HttpServletRequest request,
                          HttpServletResponse response,
                          java.lang.String repoId,
                          java.lang.String token,
                          java.lang.String wsp,
                          boolean isHttpOnly)

Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

This implementation calls the update(HttpServletRequest, HttpServletResponse, String, String, String, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

Parameters:

request - The request object providing the original token Cookie to be updated by this method.

response - The response object used to set the cookie on

repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.

token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.

wsp - The workspace which the token is mainly used to access. Ignored if token is null.

isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.

update

public static void update(HttpServletRequest request,
                          HttpServletResponse response,
                          java.lang.String repoId,
                          java.lang.String token,
                          java.lang.String wsp,
                          boolean isHttpOnly,
                          java.lang.String sameSiteCookieAttribute)

Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

Parameters:

request - The request object providing the original token Cookie to be updated by this method.

response - The response object used to set the cookie on

repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.

token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.

wsp - The workspace which the token is mainly used to access. Ignored if token is null.

isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.

sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONE.

fromString

public static TokenCookie fromString(java.lang.String value)

Decodes a token cookie value.

This is the reverse operation to the toString() method.

Parameters:

value - cookie value

Returns:

a token cookie

remove

public boolean remove(java.lang.String repoId)

Removes the info with the specified repository ID

Parameters:

repoId - The repository ID whose TokenCookie.Info has to be removed

Returns:

true if an TokenCookie.Info object for the repository ID existed and is now removed.

toString

public java.lang.String toString()

Returns the string representation of this token cookie. The value returned by this method can be decoded with the fromString(String) method.

Overrides:

toString in class java.lang.Object

Returns:

the string

getCookie

public static java.lang.String getCookie(HttpServletRequest request,
                                         java.lang.String name)

Retrieves the cookie with the given name from the request

Parameters:

request - servlet request

name - the name

Returns:

the cookie value or null if no cookie with the given name exists whose value is not empty.

setCookie

@Deprecated
public static void setCookie(HttpServletResponse response,
                                         java.lang.String name,
                                         java.lang.String value,
                                         int maxAge,
                                         java.lang.String path)

Deprecated. use setCookie(HttpServletResponse, String, String, int, String, String, boolean, boolean) instead

Sets a cookie to the response

Parameters:

response - response

name - cookie name

value - value

maxAge - maxAge

path - path

setCookie

public static void setCookie(HttpServletResponse response,
                             java.lang.String name,
                             java.lang.String value,
                             int maxAge,
                             java.lang.String path,
                             java.lang.String domain,
                             boolean isHttpOnly,
                             boolean isSecure)

Sets a cookie to the response

This implementation calls the setCookie(HttpServletResponse, String, String, int, String,String, boolean, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

Parameters:

response - response

name - cookie name

value - value

maxAge - maxAge

path - path

domain - The cookie domain or null to not set an explicit domain on the cookie.

isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.

isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.

setCookie

public static void setCookie(HttpServletResponse response,
                             java.lang.String name,
                             java.lang.String value,
                             int maxAge,
                             java.lang.String path,
                             java.lang.String domain,
                             boolean isHttpOnly,
                             boolean isSecure,
                             java.lang.String sameSiteCookieAttribute)

Sets a cookie to the response

Parameters:

response - response

name - cookie name

value - value

maxAge - maxAge

path - path

domain - The cookie domain or null to not set an explicit domain on the cookie.

isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.

isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.

sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONEornull to not set an explicit value for the SameSite attribute.