Package com.day.crx.security.token

Class TokenCookie

java.lang.Object
com.day.crx.security.token.TokenCookie
public class TokenCookie extends Object
TokenCookie provides methods to read and manipulate the value of a token cookie.

The TokenCookie value is extracted from a request as follows:

  1. If a Cookie named NAME is present, its value is used
  2. If a request parameter named PARAM_NAME is present, its first value is used

The value has the following format: 

 value  := info ( ";" info )* .
 info   := [ repoid ":" ] workspace ":" token .
 repoid := CRXClusterId | RepositorySystemId | RequestPort .

  • Field Details

    • NAME

      public static final String NAME
      Name of the cookie that provides the login token.
      See Also:

    • SAMESITE_ATTR_STRICT

      public static final String SAMESITE_ATTR_STRICT
      The value indicating that the cookie will only be sent along with "same-site" requests.
      See Also:

    • SAMESITE_ATTR_LAX

      public static final String SAMESITE_ATTR_LAX
      The value indicating that the cookie will be sent with same-site requests, and with "cross-site" top-level navigations.
      See Also:

    • SAMESITE_ATTR_NONE

      public static final String SAMESITE_ATTR_NONE
      The value indicating that the cookie will be sent with same-site and cross-site requests.
      See Also:

    • SAMESITE_ATTR_PARTITIONED

      public static final String SAMESITE_ATTR_PARTITIONED
      The value indicating that the cookie will be sent with same-site and cross-site requests, partitioned.
      See Also:

    • PARAM_NAME

      public static final String PARAM_NAME
      Name of the request header optionally providing the token cookie value instead of the HTTP Cookie.
      Since:
      1.0.2 (Bundle version 2.2.0.2)
      See Also:

    • ATTR_NAME

      public static final String ATTR_NAME
      name of the request attribute

  • Constructor Details

    • TokenCookie

      public TokenCookie()

  • Method Details

    • getInfos

      public Map<String,TokenCookie.Info> getInfos()

    • fromRequest

      public static TokenCookie fromRequest(HttpServletRequest request)
      Returns the cookie from the request. First checks if decoded cookie is already present as request attribute and reads if from the request cookies if needed.
      Parameters:
      request - servlet request
      Returns:
      a token cookie.

    • getTokenInfo

      @Deprecated public static TokenCookie.Info getTokenInfo(HttpServletRequest request)
      Deprecated.
      use getTokenInfo(HttpServletRequest, String) instead
      Returns the token info for the given request, respecting the port specified in the host header.

      This implementation calls the getTokenInfo(HttpServletRequest, String) method using the request port as returned from getPort(HttpServletRequest) as the repository ID.

      Parameters:
      request - the request
      Returns:
      the info or TokenCookie.Info.INVALID

    • getTokenInfo

      public static TokenCookie.Info getTokenInfo(HttpServletRequest request, String repoId)
      Returns the TokenCookie.Info from the request for the given repository ID.
      Parameters:
      request - The request to extract the TokenCookie.Info from
      repoId - The repository ID identifying the actual TokenCookie.Info instance from the TokenCookie. This must not be null.
      Returns:
      the info or TokenCookie.Info.INVALID if no TokenCookie.Info is available for the given repository ID

    • getPort

      public static String getPort(HttpServletRequest request)
      Returns the port form the host header.
      Parameters:
      request - request
      Returns:
      the port.

    • update

      @Deprecated public static void update(HttpServletRequest request, HttpServletResponse response, String token, String wsp)
      Deprecated.
      use update(HttpServletRequest, HttpServletResponse, String, String, String, boolean) instead
      Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

      This implementation calls the update(HttpServletRequest, HttpServletResponse, String, String, String, boolean) with the repository ID set to the request's port as returned from #getport and not setting the HttpOnly cookie flag.

      Parameters:
      request - servlet request
      response - servlet response
      token - token
      wsp - workspace

    • update

      public static void update(HttpServletRequest request, HttpServletResponse response, String repoId, String token, String wsp, boolean isHttpOnly)
      Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.

      This implementation calls the update(HttpServletRequest, HttpServletResponse, String, String, String, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

      Parameters:
      request - The request object providing the original token Cookie to be updated by this method.
      response - The response object used to set the cookie on
      repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.
      token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.
      wsp - The workspace which the token is mainly used to access. Ignored if token is null.
      isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.

    • update

      public static void update(HttpServletRequest request, HttpServletResponse response, String repoId, String token, String wsp, boolean isHttpOnly, String sameSiteCookieAttribute)
      Updates the token cookie and sets the response cookie accordingly. if token is null, the token information is removed.
      Parameters:
      request - The request object providing the original token Cookie to be updated by this method.
      response - The response object used to set the cookie on
      repoId - The repository ID identifying the TokenCookie.Info whose token value should be updated or removed.
      token - The actual token or null to remove the TokenCookie.Info for the repository ID from the cookie.
      wsp - The workspace which the token is mainly used to access. Ignored if token is null.
      isHttpOnly - Whether or not to set the HttpOnly attribute on the cookie. For security reasons it is recommended to always set this parameter to true . The parameter mainly exists for backwards compatibility reasons to allow old use cases to still make the cookie visible to client side JavaScript.
      sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONE.

    • fromString

      public static TokenCookie fromString(String value)
      Decodes a token cookie value.

      This is the reverse operation to the toString() method.

      Parameters:
      value - cookie value
      Returns:
      a token cookie

    • remove

      public boolean remove(String repoId)
      Removes the info with the specified repository ID
      Parameters:
      repoId - The repository ID whose TokenCookie.Info has to be removed
      Returns:
      true if an TokenCookie.Info object for the repository ID existed and is now removed.

    • toString

      public String toString()
      Returns the string representation of this token cookie. The value returned by this method can be decoded with the fromString(String) method.
      Overrides:
      toString in class Object
      Returns:
      the string

    • getCookie

      public static String getCookie(HttpServletRequest request, String name)
      Retrieves the cookie with the given name from the request
      Parameters:
      request - servlet request
      name - the name
      Returns:
      the cookie value or null if no cookie with the given name exists whose value is not empty.

    • setCookie

      @Deprecated public static void setCookie(HttpServletResponse response, String name, String value, int maxAge, String path)
      Deprecated.
      use setCookie(HttpServletResponse, String, String, int, String, String, boolean, boolean) instead
      Sets a cookie to the response
      Parameters:
      response - response
      name - cookie name
      value - value
      maxAge - maxAge
      path - path

    • setCookie

      public static void setCookie(HttpServletResponse response, String name, String value, int maxAge, String path, String domain, boolean isHttpOnly, boolean isSecure)
      Sets a cookie to the response

      This implementation calls the setCookie(HttpServletResponse, String, String, int, String,String, boolean, boolean, String) with the sameSiteCookieAttribute set as the configuration token.samesite.cookie.attr

      Parameters:
      response - response
      name - cookie name
      value - value
      maxAge - maxAge
      path - path
      domain - The cookie domain or null to not set an explicit domain on the cookie.
      isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.
      isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.

    • setCookie

      public static void setCookie(HttpServletResponse response, String name, String value, int maxAge, String path, String domain, boolean isHttpOnly, boolean isSecure, String sameSiteCookieAttribute)
      Sets a cookie to the response
      Parameters:
      response - response
      name - cookie name
      value - value
      maxAge - maxAge
      path - path
      domain - The cookie domain or null to not set an explicit domain on the cookie.
      isHttpOnly - Whether to set (true) or not the HttpOnly attribute on the cookie. It is not recommended to set this parameter to false unless the cookie must support certain use cases where it is essential for the client side to have access to the cookie despite the inherent security risks.
      isSecure - Whether to set (true) or not the Secure attribute on the cookie. The value for this parameter should be derived from the current request, namely the ServletRequest.isSecure() method.
      sameSiteCookieAttribute - The value for the SameSite attribute defined in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7 . Valid values are SAMESITE_ATTR_STRICT, SAMESITE_ATTR_LAX and SAMESITE_ATTR_NONEornull to not set an explicit value for the SameSite attribute.