| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package util; |
| |
| import java.util.Locale; |
| import java.util.StringTokenizer; |
| |
| /** |
| * Processes a cookie header and attempts to obfuscate any cookie values that |
| * represent session IDs from other web applications. Since session cookie names |
| * are configurable, as are session ID lengths, this filter is not expected to |
| * be 100% effective. |
| * |
| * It is required that the examples web application is removed in security |
| * conscious environments as documented in the Security How-To. This filter is |
| * intended to reduce the impact of failing to follow that advice. A failure by |
| * this filter to obfuscate a session ID or similar value is not a security |
| * vulnerability. In such instances the vulnerability is the failure to remove |
| * the examples web application. |
| */ |
| public class CookieFilter { |
| |
| private static final String OBFUSCATED = "[obfuscated]"; |
| |
| private CookieFilter() { |
| // Hide default constructor |
| } |
| |
| public static String filter(String cookieHeader, String sessionId) { |
| |
| StringBuilder sb = new StringBuilder(cookieHeader.length()); |
| |
| // Cookie name value pairs are ';' separated. |
| // Session IDs don't use ; in the value so don't worry about quoted |
| // values that contain ; |
| StringTokenizer st = new StringTokenizer(cookieHeader, ";"); |
| |
| boolean first = true; |
| while (st.hasMoreTokens()) { |
| if (first) { |
| first = false; |
| } else { |
| sb.append(';'); |
| } |
| sb.append(filterNameValuePair(st.nextToken(), sessionId)); |
| } |
| |
| |
| return sb.toString(); |
| } |
| |
| private static String filterNameValuePair(String input, String sessionId) { |
| int i = input.indexOf('='); |
| if (i == -1) { |
| return input; |
| } |
| String name = input.substring(0, i); |
| String value = input.substring(i + 1, input.length()); |
| |
| return name + "=" + filter(name, value, sessionId); |
| } |
| |
| public static String filter(String cookieName, String cookieValue, String sessionId) { |
| if (cookieName.toLowerCase(Locale.ENGLISH).contains("jsessionid") && |
| (sessionId == null || !cookieValue.contains(sessionId))) { |
| cookieValue = OBFUSCATED; |
| } |
| |
| return cookieValue; |
| } |
| } |