JAVAEE兼容低版本设置Cookie的HttpOnly属性

在做安全扫描的时候,会把Cookie中没有HttpOnly属性作为漏洞,需要处理,但是在低版本的Servlet API中并没有相关的设置方法,高版本可以直接使用Cookie对象的setHttpOnly(boolean httpOnly)方法进行设置,那么要解决这个问题,我们只能升级了吗?并不是,升级的代价可能会很大,所以本篇文章结合了新版本的API,可以直接为HttpServletResponse设置Set-Cookie响应头,我们自己来处理Cookie的拼接,代码如下:

import java.util.BitSet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;

/**
 * Cookie工具
 * 
 * @author jianggujin
 *
 */
public class JCookieUtils {
   private static final BitSet domainValid = new BitSet(128);

   static {
      for (char c = '0'; c <= '9'; c++) {
         domainValid.set(c);
      }
      for (char c = 'a'; c <= 'z'; c++) {
         domainValid.set(c);
      }
      for (char c = 'A'; c <= 'Z'; c++) {
         domainValid.set(c);
      }
      domainValid.set('.');
      domainValid.set('-');
   }

   public static void doSetCookie(HttpServletResponse response, String name, String value, int maxAgeInSeconds,
         String path, String domain, Boolean isHttpOnly) {
      Cookie cookie = new Cookie(name, value);
      cookie.setMaxAge(maxAgeInSeconds);
      // set the default path value to "/"
      if (path == null) {
         path = "/";
      }
      cookie.setPath(path);

      if (domain != null) {
         cookie.setDomain(domain);
      }
      doSetCookie(response, cookie, isHttpOnly);
   }

   public static void doSetCookie(HttpServletResponse response, Cookie cookie, Boolean isHttpOnly) {

      StringBuilder header = new StringBuilder();
      // TODO: Name validation takes place in Cookie and can not be configured
      // per Context. Moving it to here would allow per Context config
      // but delay validation until the header is generated. However,
      // the spec requires an IllegalArgumentException on Cookie
      // generation.
      header.append(cookie.getName());
      header.append('=');
      String value = cookie.getValue();
      if (value != null && value.length() > 0) {
         validateCookieValue(value);
         header.append(value);
      }

      // RFC 6265 prefers Max-Age to Expires so use Max-Age
      int maxAge = cookie.getMaxAge();
      if (maxAge > -1) {
         // Negative Max-Age is equivalent to no Max-Age
         header.append(";Max-Age=");
         header.append(maxAge);
      }

      String domain = cookie.getDomain();
      if (domain != null && domain.length() > 0) {
         validateDomain(domain);
         header.append(";domain=");
         header.append(domain);
      }

      String path = cookie.getPath();
      if (path != null && path.length() > 0) {
         validatePath(path);
         header.append(";path=");
         header.append(path);
      }

      if (cookie.getSecure()) {
         header.append(";Secure");
      }

      if (isHttpOnly != null && isHttpOnly) {
         header.append(";HttpOnly");
      }
      response.addHeader("Set-Cookie", header.toString());
   }

   private static void validateCookieValue(String value) {
      int start = 0;
      int end = value.length();

      if (end > 1 && value.charAt(0) == '"' && value.charAt(end - 1) == '"') {
         start = 1;
         end--;
      }

      char[] chars = value.toCharArray();
      for (int i = start; i < end; i++) {
         char c = chars[i];
         if (c < 0x21 || c == 0x22 || c == 0x2c || c == 0x3b || c == 0x5c || c == 0x7f) {
            throw new IllegalArgumentException("无效的value值:" + Integer.toString(c));
         }
      }
   }

   private static void validateDomain(String domain) {
      int i = 0;
      int prev = -1;
      int cur = -1;
      char[] chars = domain.toCharArray();
      while (i < chars.length) {
         prev = cur;
         cur = chars[i];
         if (!domainValid.get(cur)) {
            throw new IllegalArgumentException("无效的domain值:" + domain);
         }
         // labels must start with a letter or number
         if ((prev == '.' || prev == -1) && (cur == '.' || cur == '-')) {
            throw new IllegalArgumentException("无效的domain值:" + domain);
         }
         // labels must end with a letter or number
         if (prev == '-' && cur == '.') {
            throw new IllegalArgumentException("无效的domain值:" + domain);
         }
         i++;
      }
      // domain must end with a label
      if (cur == '.' || cur == '-') {
         throw new IllegalArgumentException("无效的domain值:" + domain);
      }
   }

   private static void validatePath(String path) {
      char[] chars = path.toCharArray();

      for (int i = 0; i < chars.length; i++) {
         char ch = chars[i];
         if (ch < 0x20 || ch > 0x7E || ch == ';') {
            throw new IllegalArgumentException("无效的path值:" + path);
         }
      }
   }
}
阅读更多

扫码向博主提问

蒋固金

非学,无以致疑;非问,无以广识
  • 擅长领域:
  • java
  • oracle
  • js
去开通我的Chat快问
版权声明:本文为博主原创文章,转载请标明出处。 https://blog.csdn.net/jianggujin/article/details/80728807
文章标签: HttpOnly
个人分类: Servlet
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭