dev@javaserverfaces.java.net

[2911-CookieSetHttpOnly] Seeking Review

From: Edward Burns <edward.burns_at_oracle.com>
Date: Tue, 2 Jul 2013 10:42:54 -0700

http://java.net/jira/browse/JAVASERVERFACES-2911 always set httpOnly on Flash cookie

I've filed a spec issue to make this required.

https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1201


SECTION: Modified Files
----------------------------
M jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java

- setHttpOnly(true) on the flash cookie.

M test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java

- Assert the flash cookie is setHttpOnly(true).

SECTION: Diffs
----------------------------
Index: jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
===================================================================
--- jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java (revision 12044)
+++ jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java (working copy)
@@ -996,9 +996,7 @@
                 if (null != (val = toSet.getPath())) {
                     properties.put("path", val);
                 }
- if (null != (val = toSet.isHttpOnly())) {
- properties.put("httpOnly", val);
- }
+ properties.put("httpOnly", Boolean.TRUE);
                 extContext.addResponseCookie(toSet.getName(), toSet.getValue(),
                         !properties.isEmpty() ? properties : null);
                 properties = null;
Index: test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java
===================================================================
--- test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java (revision 12044)
+++ test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java (working copy)
@@ -40,6 +40,7 @@
 
 package com.sun.faces.test.agnostic.flash.basic;
 
+import com.gargoylesoftware.htmlunit.util.Cookie;
 import com.gargoylesoftware.htmlunit.WebClient;
 import com.gargoylesoftware.htmlunit.html.HtmlAnchor;
 import com.gargoylesoftware.htmlunit.html.HtmlButtonInput;
@@ -84,21 +85,29 @@
         HtmlButtonInput button = (HtmlButtonInput) page.getElementById("nextButton");
         page = button.click();
         assertTrue(page.asText().contains("foo = bar"));
+ Cookie cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
 
         page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
         HtmlAnchor link = (HtmlAnchor) page.getElementById("nextLink");
         page = link.click();
         assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
 
         page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
         link = (HtmlAnchor) page.getElementById("nextCommandLink");
         page = link.click();
         assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
 
         page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
         HtmlSubmitInput submitButton = (HtmlSubmitInput) page.getElementById("nextCommandButton");
         page = submitButton.click();
         assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
 
     }
 }



--