http://java.net/jira/browse/JAVASERVERFACES-2911 always set httpOnly on Flash cookie
I've filed a spec issue to make this required.
https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1201
SECTION: Modified Files
----------------------------
M jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
- setHttpOnly(true) on the flash cookie.
M test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java
- Assert the flash cookie is setHttpOnly(true).
SECTION: Diffs
----------------------------
Index: jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
===================================================================
--- jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java (revision 12044)
+++ jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java (working copy)
@@ -996,9 +996,7 @@
if (null != (val = toSet.getPath())) {
properties.put("path", val);
}
- if (null != (val = toSet.isHttpOnly())) {
- properties.put("httpOnly", val);
- }
+ properties.put("httpOnly", Boolean.TRUE);
extContext.addResponseCookie(toSet.getName(), toSet.getValue(),
!properties.isEmpty() ? properties : null);
properties = null;
Index: test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java
===================================================================
--- test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java (revision 12044)
+++ test/agnostic/flash/basic/src/test/java/com/sun/faces/test/agnostic/flash/basic/FlashViewParamIT.java (working copy)
@@ -40,6 +40,7 @@
package com.sun.faces.test.agnostic.flash.basic;
+import com.gargoylesoftware.htmlunit.util.Cookie;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlAnchor;
import com.gargoylesoftware.htmlunit.html.HtmlButtonInput;
@@ -84,21 +85,29 @@
HtmlButtonInput button = (HtmlButtonInput) page.getElementById("nextButton");
page = button.click();
assertTrue(page.asText().contains("foo = bar"));
+ Cookie cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
HtmlAnchor link = (HtmlAnchor) page.getElementById("nextLink");
page = link.click();
assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
link = (HtmlAnchor) page.getElementById("nextCommandLink");
page = link.click();
assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
page = webClient.getPage(webUrl + "/faces/flash01.xhtml");
HtmlSubmitInput submitButton = (HtmlSubmitInput) page.getElementById("nextCommandButton");
page = submitButton.click();
assertTrue(page.asText().contains("foo = bar"));
+ cookie = webClient.getCookieManager().getCookie("csfcfc");
+ assertTrue(cookie.isHttpOnly());
}
}
--