public class TokenCookie
extends java.lang.Object
TokenCookie
provides methods to read and manipulate the value of
a token cookie.
The TokenCookie value is extracted from a request as follows:
NAME
is present, its value is usedPARAM_NAME
is present, its first
value is usedThe value has the following format:
value := info ( ";" info )* . info := [ repoid ":" ] workspace ":" token . repoid := CRXClusterId | RepositorySystemId | RequestPort .
Modifier and Type | Class and Description |
---|---|
static class |
TokenCookie.Info
holds a token / workspace pair
|
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
ATTR_NAME
name of the request attribute
|
static java.lang.String |
NAME
Name of the cookie that provides the login token.
|
static java.lang.String |
PARAM_NAME
Name of the request header optionally providing the token cookie value
instead of the HTTP Cookie.
|
static java.lang.String |
SAMESITE_ATTR_LAX
The value indicating that the cookie will be sent with same-site requests,
and with "cross-site" top-level navigations.
|
static java.lang.String |
SAMESITE_ATTR_NONE
The value indicating that the cookie will be sent with same-site and
cross-site requests.
|
static java.lang.String |
SAMESITE_ATTR_STRICT
The value indicating that the cookie will
only be sent along with "same-site" requests.
|
Constructor and Description |
---|
TokenCookie() |
Modifier and Type | Method and Description |
---|---|
static TokenCookie |
fromRequest(HttpServletRequest request)
Returns the cookie from the request.
|
static TokenCookie |
fromString(java.lang.String value)
Decodes a token cookie value.
|
static java.lang.String |
getCookie(HttpServletRequest request,
java.lang.String name)
Retrieves the cookie with the given name from the request
|
java.util.Map<java.lang.String,TokenCookie.Info> |
getInfos() |
static java.lang.String |
getPort(HttpServletRequest request)
Returns the port form the host header.
|
static TokenCookie.Info |
getTokenInfo(HttpServletRequest request)
Deprecated.
use
getTokenInfo(HttpServletRequest, String) instead |
static TokenCookie.Info |
getTokenInfo(HttpServletRequest request,
java.lang.String repoId)
Returns the
TokenCookie.Info from the request for the given repository ID. |
boolean |
remove(java.lang.String repoId)
Removes the info with the specified repository ID
|
static void |
setCookie(HttpServletResponse response,
java.lang.String name,
java.lang.String value,
int maxAge,
java.lang.String path)
Deprecated.
|
static void |
setCookie(HttpServletResponse response,
java.lang.String name,
java.lang.String value,
int maxAge,
java.lang.String path,
java.lang.String domain,
boolean isHttpOnly,
boolean isSecure)
Sets a cookie to the response
|
static void |
setCookie(HttpServletResponse response,
java.lang.String name,
java.lang.String value,
int maxAge,
java.lang.String path,
java.lang.String domain,
boolean isHttpOnly,
boolean isSecure,
java.lang.String sameSiteCookieAttribute)
Sets a cookie to the response
|
java.lang.String |
toString()
Returns the string representation of this token cookie.
|
static void |
update(HttpServletRequest request,
HttpServletResponse response,
java.lang.String token,
java.lang.String wsp)
Deprecated.
|
static void |
update(HttpServletRequest request,
HttpServletResponse response,
java.lang.String repoId,
java.lang.String token,
java.lang.String wsp,
boolean isHttpOnly)
Updates the token cookie and sets the response cookie accordingly.
|
static void |
update(HttpServletRequest request,
HttpServletResponse response,
java.lang.String repoId,
java.lang.String token,
java.lang.String wsp,
boolean isHttpOnly,
java.lang.String sameSiteCookieAttribute)
Updates the token cookie and sets the response cookie accordingly.
|
public static final java.lang.String NAME
public static final java.lang.String SAMESITE_ATTR_STRICT
public static final java.lang.String SAMESITE_ATTR_LAX
public static final java.lang.String SAMESITE_ATTR_NONE
public static final java.lang.String PARAM_NAME
public static final java.lang.String ATTR_NAME
public java.util.Map<java.lang.String,TokenCookie.Info> getInfos()
public static TokenCookie fromRequest(HttpServletRequest request)
request
- servlet request@Deprecated public static TokenCookie.Info getTokenInfo(HttpServletRequest request)
getTokenInfo(HttpServletRequest, String)
instead
This implementation calls the
getTokenInfo(HttpServletRequest, String)
method using the
request port as returned from getPort(HttpServletRequest)
as the
repository ID.
request
- the requestTokenCookie.Info.INVALID
public static TokenCookie.Info getTokenInfo(HttpServletRequest request, java.lang.String repoId)
TokenCookie.Info
from the request for the given repository ID.request
- The request to extract the TokenCookie.Info
fromrepoId
- The repository ID identifying the actual TokenCookie.Info
instance from the TokenCookie
. This must not be
null
.TokenCookie.Info.INVALID
if no TokenCookie.Info
is available
for the given repository IDpublic static java.lang.String getPort(HttpServletRequest request)
request
- request@Deprecated public static void update(HttpServletRequest request, HttpServletResponse response, java.lang.String token, java.lang.String wsp)
update(HttpServletRequest, HttpServletResponse, String, String, String, boolean)
insteadtoken
is null
, the token information is
removed.
This implementation calls the
update(HttpServletRequest, HttpServletResponse, String, String, String, boolean)
with the repository ID set to the request's port as returned from
#getport and not setting the HttpOnly
cookie flag.
request
- servlet requestresponse
- servlet responsetoken
- tokenwsp
- workspacepublic static void update(HttpServletRequest request, HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly)
token
is null
, the token information is
removed.
This implementation calls the
update(HttpServletRequest, HttpServletResponse, String, String, String, boolean, String)
with the sameSiteCookieAttribute
set as the configuration
token.samesite.cookie.attr
request
- The request object providing the original token Cookie to
be updated by this method.response
- The response object used to set the cookie onrepoId
- The repository ID identifying the TokenCookie.Info
whose token
value should be updated or removed.token
- The actual token or null
to remove the
TokenCookie.Info
for the repository ID from the cookie.wsp
- The workspace which the token is mainly used to access. Ignored
if token
is null
.isHttpOnly
- Whether or not to set the HttpOnly
attribute on the cookie. For security reasons it is
recommended to always set this parameter to true
. The parameter mainly exists for backwards compatibility
reasons to allow old use cases to still make the cookie
visible to client side JavaScript.public static void update(HttpServletRequest request, HttpServletResponse response, java.lang.String repoId, java.lang.String token, java.lang.String wsp, boolean isHttpOnly, java.lang.String sameSiteCookieAttribute)
token
is null
, the token information is
removed.request
- The request object providing the original token Cookie to
be updated by this method.response
- The response object used to set the cookie onrepoId
- The repository ID identifying the TokenCookie.Info
whose token
value should be updated or removed.token
- The actual token or null
to remove the
TokenCookie.Info
for the repository ID from the cookie.wsp
- The workspace which the token is mainly used to access. Ignored
if token
is null
.isHttpOnly
- Whether or not to set the HttpOnly
attribute on the cookie. For security reasons it is
recommended to always set this parameter to true
. The parameter mainly exists for backwards compatibility
reasons to allow old use cases to still make the cookie
visible to client side JavaScript.sameSiteCookieAttribute
- The value for the SameSite attribute defined
in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 .
Valid values are SAMESITE_ATTR_STRICT
, SAMESITE_ATTR_LAX
and SAMESITE_ATTR_NONE
.public static TokenCookie fromString(java.lang.String value)
This is the reverse operation to the toString()
method.
value
- cookie valuepublic boolean remove(java.lang.String repoId)
repoId
- The repository ID whose TokenCookie.Info
has to be removedtrue
if an TokenCookie.Info
object for the repository ID
existed and is now removed.public java.lang.String toString()
fromString(String)
method.toString
in class java.lang.Object
public static java.lang.String getCookie(HttpServletRequest request, java.lang.String name)
request
- servlet requestname
- the namenull
if no cookie with the given
name exists whose value is not empty.@Deprecated public static void setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path)
setCookie(HttpServletResponse, String, String, int, String, String, boolean, boolean)
insteadresponse
- responsename
- cookie namevalue
- valuemaxAge
- maxAgepath
- pathpublic static void setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure)
This implementation calls the
setCookie(HttpServletResponse, String, String, int, String,String, boolean, boolean, String)
with the sameSiteCookieAttribute
set as the configuration
token.samesite.cookie.attr
response
- responsename
- cookie namevalue
- valuemaxAge
- maxAgepath
- pathdomain
- The cookie domain or null
to not set an
explicit domain on the cookie.isHttpOnly
- Whether to set (true
) or not the
HttpOnly
attribute on the cookie. It is not
recommended to set this parameter to false
unless
the cookie must support certain use cases where it is
essential for the client side to have access to the cookie
despite the inherent security risks.isSecure
- Whether to set (true
) or not the
Secure
attribute on the cookie. The value for
this parameter should be derived from the current request,
namely the ServletRequest.isSecure()
method.public static void setCookie(HttpServletResponse response, java.lang.String name, java.lang.String value, int maxAge, java.lang.String path, java.lang.String domain, boolean isHttpOnly, boolean isSecure, java.lang.String sameSiteCookieAttribute)
response
- responsename
- cookie namevalue
- valuemaxAge
- maxAgepath
- pathdomain
- The cookie domain or null
to not set an
explicit domain on the cookie.isHttpOnly
- Whether to set (true
) or not the
HttpOnly
attribute on the cookie. It is not
recommended to set this parameter to false
unless
the cookie must support certain use cases where it is
essential for the client side to have access to the cookie
despite the inherent security risks.isSecure
- Whether to set (true
) or not the
Secure
attribute on the cookie. The value for
this parameter should be derived from the current request,
namely the ServletRequest.isSecure()
method.sameSiteCookieAttribute
- The value for the SameSite attribute defined
in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 .
Valid values are SAMESITE_ATTR_STRICT
, SAMESITE_ATTR_LAX
and SAMESITE_ATTR_NONE
ornull
to not set an explicit
value for the SameSite attribute.Copyright © 2010 - 2020 Adobe. All Rights Reserved