Disable jsessionid URL rewriting by default
This matches the default of the InvalidRequestFilter
Fixes: SHIRO-795
diff --git a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
index 5ed98d8..fab145f 100644
--- a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
+++ b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java
@@ -43,7 +43,7 @@
@Value("#{ @environment['shiro.sessionManager.sessionIdCookieEnabled'] ?: true }")
protected boolean sessionIdCookieEnabled;
- @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: true }")
+ @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: false }")
protected boolean sessionIdUrlRewritingEnabled;
@Value("#{ @environment['shiro.userNativeSessionManager'] ?: false }")
diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
index eb7eda1..9aa275a 100644
--- a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
+++ b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
@@ -58,7 +58,7 @@
cookie.setHttpOnly(true); //more secure, protects against XSS attacks
this.sessionIdCookie = cookie;
this.sessionIdCookieEnabled = true;
- this.sessionIdUrlRewritingEnabled = true;
+ this.sessionIdUrlRewritingEnabled = false;
}
public Cookie getSessionIdCookie() {
diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
index 841569f..35b3120 100644
--- a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
+++ b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
@@ -127,7 +127,7 @@
ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
- request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.TRUE);
+ request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.FALSE);
replay(cookie);
replay(request);
@@ -147,6 +147,7 @@
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
//we should not have any reads from the cookie fields - if we do, this test case will fail.
@@ -182,6 +183,7 @@
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
//we should not have any reads from the cookie fields - if we do, this test case will fail.
@@ -218,6 +220,7 @@
public void testGetSessionIdFromRequestUriPathSegmentParam() {
mgr.setSessionIdCookieEnabled(false);
+ mgr.setSessionIdUrlRewritingEnabled(true)
HttpServletRequest request = createMock(HttpServletRequest.class);
HttpServletResponse response = createMock(HttpServletResponse.class);
