Package com.day.crx.security.token

Class TokenCookie

  • public class TokenCookie
extends java.lang.Object
    TokenCookie provides methods to read and manipulate the value of a token cookie.

    The TokenCookie value is extracted from a request as follows:

    1. If a Cookie named NAME is present, its value is used
    2. If a request parameter named PARAM_NAME is present, its first value is used

    The value has the following format: 

     value  := info ( ";" info )* .
 info   := [ repoid ":" ] workspace ":" token .
 repoid := CRXClusterId | RepositorySystemId | RequestPort .

    • Field Detail

      • NAME

        public static final java.lang.String NAME
        Name of the cookie that provides the login token.
        See Also:
        Constant Field Values

      • SAMESITE_ATTR_STRICT

        public static final java.lang.String SAMESITE_ATTR_STRICT
        The value indicating that the cookie will only be sent along with "same-site" requests.
        See Also:
        Constant Field Values

      • SAMESITE_ATTR_LAX

        public static final java.lang.String SAMESITE_ATTR_LAX
        The value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.
        See Also:
        Constant Field Values

      • SAMESITE_ATTR_NONE

        public static final java.lang.String SAMESITE_ATTR_NONE
        The value indicating that the cookie will be sent with same-site and cross-site requests.
        See Also:
        Constant Field Values

      • PARAM_NAME

        public static final java.lang.String PARAM_NAME
        Name of the request header optionally providing the token cookie value instead of the HTTP Cookie.
        Since:
        1.0.2 (Bundle version 2.2.0.2)
        See Also:
        Constant Field Values

      • ATTR_NAME

        public static final java.lang.String ATTR_NAME
        name of the request attribute

    • Constructor Detail

      • TokenCookie

        public TokenCookie()

    • Method Detail

      • getInfos

        public java.util.Map<java.lang.String,​TokenCookie.Info> getInfos()

      • fromRequest

        public static TokenCookie fromRequest​(HttpServletRequest request)
        Returns the cookie from the request. First checks if decoded cookie is already present as request attribute and reads if from the request cookies if needed.
        Parameters:
        request - servlet request
        Returns:
        a token cookie.

      • getPort

        public static java.lang.String getPort​(HttpServletRequest request)
        Returns the port form the host header.
        Parameters:
        request - request
        Returns:
        the port.

      • update

        public static void update​(HttpServletRequest request,
                          HttpServletResponse response,
                          java.lang.String repoId,
                          java.lang.String token,
                          java.lang.String wsp,
                          boolean isHttpOnly)
        Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

        This implementation calls the update(HttpServletRequest, HttpServletResponse, String, String, String, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

        Parameters:
        request - The request object providing the original token Cookie to be updated by this method.
        response - The response object used to set the cookie on
        repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.
        token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.
        wsp - The workspace which the token is mainly used to access. Ignored if token is null.
        isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.

      • update

        public static void update​(HttpServletRequest request,
                          HttpServletResponse response,
                          java.lang.String repoId,
                          java.lang.String token,
                          java.lang.String wsp,
                          boolean isHttpOnly,
                          java.lang.String sameSiteCookieAttribute)
        Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.
        Parameters:
        request - The request object providing the original token Cookie to be updated by this method.
        response - The response object used to set the cookie on
        repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.
        token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.
        wsp - The workspace which the token is mainly used to access. Ignored if token is null.
        isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.
        sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONE.

      • fromString

        public static TokenCookie fromString​(java.lang.String value)
        Decodes a token cookie value.

        This is the reverse operation to the toString() method.

        Parameters:
        value - cookie value
        Returns:
        a token cookie

      • remove

        public boolean remove​(java.lang.String repoId)
        Removes the info with the specified repository ID
        Parameters:
        repoId - The repository ID whose TokenCookie.Info has to be removed
        Returns:
        true if an TokenCookie.Info object for the repository ID existed and is now removed.

      • toString

        public java.lang.String toString()
        Returns the string representation of this token cookie. The value returned by this method can be decoded with the fromString(String) method.
        Overrides:
        toString in class java.lang.Object
        Returns:
        the string

      • getCookie

        public static java.lang.String getCookie​(HttpServletRequest request,
                                         java.lang.String name)
        Retrieves the cookie with the given name from the request
        Parameters:
        request - servlet request
        name - the name
        Returns:
        the cookie value or null if no cookie with the given name exists whose value is not empty.

      • setCookie

        public static void setCookie​(HttpServletResponse response,
                             java.lang.String name,
                             java.lang.String value,
                             int maxAge,
                             java.lang.String path,
                             java.lang.String domain,
                             boolean isHttpOnly,
                             boolean isSecure)
        Sets a cookie to the response

        This implementation calls the setCookie(HttpServletResponse, String, String, int, String,String, boolean, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

        Parameters:
        response - response
        name - cookie name
        value - value
        maxAge - maxAge
        path - path
        domain - The cookie domain or null to not set an explicit domain on the cookie.
        isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.
        isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.

      • setCookie

        public static void setCookie​(HttpServletResponse response,
                             java.lang.String name,
                             java.lang.String value,
                             int maxAge,
                             java.lang.String path,
                             java.lang.String domain,
                             boolean isHttpOnly,
                             boolean isSecure,
                             java.lang.String sameSiteCookieAttribute)
        Sets a cookie to the response
        Parameters:
        response - response
        name - cookie name
        value - value
        maxAge - maxAge
        path - path
        domain - The cookie domain or null to not set an explicit domain on the cookie.
        isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.
        isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.
        sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONEornull to not set an explicit value for the SameSite attribute.