Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-11 07:55:47 +01:00
Code Issues Packages Projects Releases Activity

fix cookie path, if scm-manager runs with context path /

Browse Source
This commit is contained in:
Sebastian Sdorra
2018-08-23 08:24:19 +02:00
parent e17f3bfd79
commit 9e8bd299f0
2 changed files with 132 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scm-webapp/src/main/java/sonia/scm/security/AccessTokenCookieIssuer.java
View File

@@ -31,20 +31,19 @@
package sonia.scm.security;
import com.google.common.annotations.VisibleForTesting;
import java.util.Date;
import com.google.common.base.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util;
import java.util.Date;
import java.util.concurrent.TimeUnit;
/**
* Generates cookies and invalidates access token cookies.
@@ -81,7 +80,7 @@ public final class AccessTokenCookieIssuer {
public void authenticate(HttpServletRequest request, HttpServletResponse response, AccessToken accessToken) {
LOG.trace("create and attach cookie for access token {}", accessToken.getId());
Cookie c = new Cookie(HttpUtil.COOKIE_BEARER_AUTHENTICATION, accessToken.compact());
c.setPath(request.getContextPath());
c.setPath(contextPath(request));
c.setMaxAge(getMaxAge(accessToken));
c.setHttpOnly(isHttpOnly());
c.setSecure(isSecure(request));
@@ -100,7 +99,7 @@ public final class AccessTokenCookieIssuer {
LOG.trace("invalidates access token cookie");
Cookie c = new Cookie(HttpUtil.COOKIE_BEARER_AUTHENTICATION, Util.EMPTY_STRING);
c.setPath(request.getContextPath());
c.setPath(contextPath(request));
c.setMaxAge(0);
c.setHttpOnly(isHttpOnly());
c.setSecure(isSecure(request));
@@ -108,6 +107,15 @@ public final class AccessTokenCookieIssuer {
// attach empty cookie, that the browser can remove it
response.addCookie(c);
}
@VisibleForTesting
String contextPath(HttpServletRequest request) {
String contextPath = request.getContextPath();
if (Strings.isNullOrEmpty(contextPath)) {
return "/";
}
return contextPath;
}
private int getMaxAge(AccessToken accessToken){
long maxAgeMs = accessToken.getExpiration().getTime() - new Date().getTime();