/* |
|
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. |
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
* |
|
* This code is free software; you can redistribute it and/or modify it |
|
* under the terms of the GNU General Public License version 2 only, as |
|
* published by the Free Software Foundation. Oracle designates this |
|
* particular file as subject to the "Classpath" exception as provided |
|
* by Oracle in the LICENSE file that accompanied this code. |
|
* |
|
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
* version 2 for more details (a copy is included in the LICENSE file that |
|
* accompanied this code). |
|
* |
|
* You should have received a copy of the GNU General Public License version |
|
* 2 along with this work; if not, write to the Free Software Foundation, |
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
* |
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
* or visit www.oracle.com if you need additional information or have any |
|
* questions. |
|
*/ |
|
package java.net; |
|
import java.util.Map; |
|
import java.util.List; |
|
import java.util.Collections; |
|
import java.util.Comparator; |
|
import java.io.IOException; |
|
import sun.util.logging.PlatformLogger; |
|
/** |
|
* CookieManager provides a concrete implementation of {@link CookieHandler}, |
|
* which separates the storage of cookies from the policy surrounding accepting |
|
* and rejecting cookies. A CookieManager is initialized with a {@link CookieStore} |
|
* which manages storage, and a {@link CookiePolicy} object, which makes |
|
* policy decisions on cookie acceptance/rejection. |
|
* |
|
* <p> The HTTP cookie management in java.net package looks like: |
|
* <blockquote> |
|
* <pre>{@code |
|
* use |
|
* CookieHandler <------- HttpURLConnection |
|
* ^ |
|
* | impl |
|
* | use |
|
* CookieManager -------> CookiePolicy |
|
* | use |
|
* |--------> HttpCookie |
|
* | ^ |
|
* | | use |
|
* | use | |
|
* |--------> CookieStore |
|
* ^ |
|
* | impl |
|
* | |
|
* Internal in-memory implementation |
|
* }</pre> |
|
* <ul> |
|
* <li> |
|
* CookieHandler is at the core of cookie management. User can call |
|
* CookieHandler.setDefault to set a concrete CookieHanlder implementation |
|
* to be used. |
|
* </li> |
|
* <li> |
|
* CookiePolicy.shouldAccept will be called by CookieManager.put to see whether |
|
* or not one cookie should be accepted and put into cookie store. User can use |
|
* any of three pre-defined CookiePolicy, namely ACCEPT_ALL, ACCEPT_NONE and |
|
* ACCEPT_ORIGINAL_SERVER, or user can define his own CookiePolicy implementation |
|
* and tell CookieManager to use it. |
|
* </li> |
|
* <li> |
|
* CookieStore is the place where any accepted HTTP cookie is stored in. |
|
* If not specified when created, a CookieManager instance will use an internal |
|
* in-memory implementation. Or user can implements one and tell CookieManager |
|
* to use it. |
|
* </li> |
|
* <li> |
|
* Currently, only CookieStore.add(URI, HttpCookie) and CookieStore.get(URI) |
|
* are used by CookieManager. Others are for completeness and might be needed |
|
* by a more sophisticated CookieStore implementation, e.g. a NetscapeCookieStore. |
|
* </li> |
|
* </ul> |
|
* </blockquote> |
|
* |
|
* <p>There're various ways user can hook up his own HTTP cookie management behavior, e.g. |
|
* <blockquote> |
|
* <ul> |
|
* <li>Use CookieHandler.setDefault to set a brand new {@link CookieHandler} implementation |
|
* <li>Let CookieManager be the default {@link CookieHandler} implementation, |
|
* but implement user's own {@link CookieStore} and {@link CookiePolicy} |
|
* and tell default CookieManager to use them: |
|
* <blockquote><pre> |
|
* // this should be done at the beginning of an HTTP session |
|
* CookieHandler.setDefault(new CookieManager(new MyCookieStore(), new MyCookiePolicy())); |
|
* </pre></blockquote> |
|
* <li>Let CookieManager be the default {@link CookieHandler} implementation, but |
|
* use customized {@link CookiePolicy}: |
|
* <blockquote><pre> |
|
* // this should be done at the beginning of an HTTP session |
|
* CookieHandler.setDefault(new CookieManager()); |
|
* // this can be done at any point of an HTTP session |
|
* ((CookieManager)CookieHandler.getDefault()).setCookiePolicy(new MyCookiePolicy()); |
|
* </pre></blockquote> |
|
* </ul> |
|
* </blockquote> |
|
* |
|
* <p>The implementation conforms to <a href="http://www.ietf.org/rfc/rfc2965.txt">RFC 2965</a>, section 3.3. |
|
* |
|
* @see CookiePolicy |
|
* @author Edward Wang |
|
* @since 1.6 |
|
*/ |
|
public class CookieManager extends CookieHandler |
|
{ |
|
/* ---------------- Fields -------------- */ |
|
private CookiePolicy policyCallback; |
|
private CookieStore cookieJar = null; |
|
/* ---------------- Ctors -------------- */ |
|
/** |
|
* Create a new cookie manager. |
|
* |
|
* <p>This constructor will create new cookie manager with default |
|
* cookie store and accept policy. The effect is same as |
|
* {@code CookieManager(null, null)}. |
|
*/ |
|
public CookieManager() { |
|
this(null, null); |
|
} |
|
/** |
|
* Create a new cookie manager with specified cookie store and cookie policy. |
|
* |
|
* @param store a {@code CookieStore} to be used by cookie manager. |
|
* if {@code null}, cookie manager will use a default one, |
|
* which is an in-memory CookieStore implementation. |
|
* @param cookiePolicy a {@code CookiePolicy} instance |
|
* to be used by cookie manager as policy callback. |
|
* if {@code null}, ACCEPT_ORIGINAL_SERVER will |
|
* be used. |
|
*/ |
|
public CookieManager(CookieStore store, |
|
CookiePolicy cookiePolicy) |
|
{ |
|
// use default cookie policy if not specify one |
|
policyCallback = (cookiePolicy == null) ? CookiePolicy.ACCEPT_ORIGINAL_SERVER |
|
: cookiePolicy; |
|
// if not specify CookieStore to use, use default one |
|
if (store == null) { |
|
cookieJar = new InMemoryCookieStore(); |
|
} else { |
|
cookieJar = store; |
|
} |
|
} |
|
/* ---------------- Public operations -------------- */ |
|
/** |
|
* To set the cookie policy of this cookie manager. |
|
* |
|
* <p> A instance of {@code CookieManager} will have |
|
* cookie policy ACCEPT_ORIGINAL_SERVER by default. Users always |
|
* can call this method to set another cookie policy. |
|
* |
|
* @param cookiePolicy the cookie policy. Can be {@code null}, which |
|
* has no effects on current cookie policy. |
|
*/ |
|
public void setCookiePolicy(CookiePolicy cookiePolicy) { |
|
if (cookiePolicy != null) policyCallback = cookiePolicy; |
|
} |
|
/** |
|
* To retrieve current cookie store. |
|
* |
|
* @return the cookie store currently used by cookie manager. |
|
*/ |
|
public CookieStore getCookieStore() { |
|
return cookieJar; |
|
} |
|
public Map<String, List<String>> |
|
get(URI uri, Map<String, List<String>> requestHeaders) |
|
throws IOException |
|
{ |
|
// pre-condition check |
|
if (uri == null || requestHeaders == null) { |
|
throw new IllegalArgumentException("Argument is null"); |
|
} |
|
// if there's no default CookieStore, no way for us to get any cookie |
|
if (cookieJar == null) |
|
return Map.of(); |
|
boolean secureLink = "https".equalsIgnoreCase(uri.getScheme()); |
|
List<HttpCookie> cookies = new java.util.ArrayList<>(); |
|
String path = uri.getPath(); |
|
if (path == null || path.isEmpty()) { |
|
path = "/"; |
|
} |
|
for (HttpCookie cookie : cookieJar.get(uri)) { |
|
// apply path-matches rule (RFC 2965 sec. 3.3.4) |
|
// and check for the possible "secure" tag (i.e. don't send |
|
// 'secure' cookies over unsecure links) |
|
if (pathMatches(path, cookie.getPath()) && |
|
(secureLink || !cookie.getSecure())) { |
|
// Enforce httponly attribute |
|
if (cookie.isHttpOnly()) { |
|
String s = uri.getScheme(); |
|
if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) { |
|
continue; |
|
} |
|
} |
|
// Let's check the authorize port list if it exists |
|
String ports = cookie.getPortlist(); |
|
if (ports != null && !ports.isEmpty()) { |
|
int port = uri.getPort(); |
|
if (port == -1) { |
|
port = "https".equals(uri.getScheme()) ? 443 : 80; |
|
} |
|
if (isInPortList(ports, port)) { |
|
cookies.add(cookie); |
|
} |
|
} else { |
|
cookies.add(cookie); |
|
} |
|
} |
|
} |
|
// apply sort rule (RFC 2965 sec. 3.3.4) |
|
List<String> cookieHeader = sortByPath(cookies); |
|
return Map.of("Cookie", cookieHeader); |
|
} |
|
public void |
|
put(URI uri, Map<String, List<String>> responseHeaders) |
|
throws IOException |
|
{ |
|
// pre-condition check |
|
if (uri == null || responseHeaders == null) { |
|
throw new IllegalArgumentException("Argument is null"); |
|
} |
|
// if there's no default CookieStore, no need to remember any cookie |
|
if (cookieJar == null) |
|
return; |
|
PlatformLogger logger = PlatformLogger.getLogger("java.net.CookieManager"); |
|
for (String headerKey : responseHeaders.keySet()) { |
|
// RFC 2965 3.2.2, key must be 'Set-Cookie2' |
|
// we also accept 'Set-Cookie' here for backward compatibility |
|
if (headerKey == null |
|
|| !(headerKey.equalsIgnoreCase("Set-Cookie2") |
|
|| headerKey.equalsIgnoreCase("Set-Cookie") |
|
) |
|
) |
|
{ |
|
continue; |
|
} |
|
for (String headerValue : responseHeaders.get(headerKey)) { |
|
try { |
|
List<HttpCookie> cookies; |
|
try { |
|
cookies = HttpCookie.parse(headerValue); |
|
} catch (IllegalArgumentException e) { |
|
// Bogus header, make an empty list and log the error |
|
cookies = java.util.Collections.emptyList(); |
|
if (logger.isLoggable(PlatformLogger.Level.SEVERE)) { |
|
logger.severe("Invalid cookie for " + uri + ": " + headerValue); |
|
} |
|
} |
|
for (HttpCookie cookie : cookies) { |
|
if (cookie.getPath() == null) { |
|
// If no path is specified, then by default |
|
// the path is the directory of the page/doc |
|
String path = uri.getPath(); |
|
if (!path.endsWith("/")) { |
|
int i = path.lastIndexOf('/'); |
|
if (i > 0) { |
|
path = path.substring(0, i + 1); |
|
} else { |
|
path = "/"; |
|
} |
|
} |
|
cookie.setPath(path); |
|
} |
|
// As per RFC 2965, section 3.3.1: |
|
// Domain Defaults to the effective request-host. (Note that because |
|
// there is no dot at the beginning of effective request-host, |
|
// the default Domain can only domain-match itself.) |
|
if (cookie.getDomain() == null) { |
|
String host = uri.getHost(); |
|
if (host != null && !host.contains(".")) |
|
host += ".local"; |
|
cookie.setDomain(host); |
|
} |
|
String ports = cookie.getPortlist(); |
|
if (ports != null) { |
|
int port = uri.getPort(); |
|
if (port == -1) { |
|
port = "https".equals(uri.getScheme()) ? 443 : 80; |
|
} |
|
if (ports.isEmpty()) { |
|
// Empty port list means this should be restricted |
|
// to the incoming URI port |
|
cookie.setPortlist("" + port ); |
|
if (shouldAcceptInternal(uri, cookie)) { |
|
cookieJar.add(uri, cookie); |
|
} |
|
} else { |
|
// Only store cookies with a port list |
|
// IF the URI port is in that list, as per |
|
// RFC 2965 section 3.3.2 |
|
if (isInPortList(ports, port) && |
|
shouldAcceptInternal(uri, cookie)) { |
|
cookieJar.add(uri, cookie); |
|
} |
|
} |
|
} else { |
|
if (shouldAcceptInternal(uri, cookie)) { |
|
cookieJar.add(uri, cookie); |
|
} |
|
} |
|
} |
|
} catch (IllegalArgumentException e) { |
|
// invalid set-cookie header string |
|
// no-op |
|
} |
|
} |
|
} |
|
} |
|
/* ---------------- Private operations -------------- */ |
|
// to determine whether or not accept this cookie |
|
private boolean shouldAcceptInternal(URI uri, HttpCookie cookie) { |
|
try { |
|
return policyCallback.shouldAccept(uri, cookie); |
|
} catch (Exception ignored) { // pretect against malicious callback |
|
return false; |
|
} |
|
} |
|
private static boolean isInPortList(String lst, int port) { |
|
int i = lst.indexOf(','); |
|
int val = -1; |
|
while (i > 0) { |
|
try { |
|
val = Integer.parseInt(lst, 0, i, 10); |
|
if (val == port) { |
|
return true; |
|
} |
|
} catch (NumberFormatException numberFormatException) { |
|
} |
|
lst = lst.substring(i+1); |
|
i = lst.indexOf(','); |
|
} |
|
if (!lst.isEmpty()) { |
|
try { |
|
val = Integer.parseInt(lst); |
|
if (val == port) { |
|
return true; |
|
} |
|
} catch (NumberFormatException numberFormatException) { |
|
} |
|
} |
|
return false; |
|
} |
|
/* |
|
* path-matches algorithm, as defined by RFC 2965 |
|
*/ |
|
private boolean pathMatches(String path, String pathToMatchWith) { |
|
if (path == pathToMatchWith) |
|
return true; |
|
if (path == null || pathToMatchWith == null) |
|
return false; |
|
if (path.startsWith(pathToMatchWith)) |
|
return true; |
|
return false; |
|
} |
|
/* |
|
* sort cookies with respect to their path: those with more specific Path attributes |
|
* precede those with less specific, as defined in RFC 2965 sec. 3.3.4 |
|
*/ |
|
private List<String> sortByPath(List<HttpCookie> cookies) { |
|
Collections.sort(cookies, new CookiePathComparator()); |
|
List<String> cookieHeader = new java.util.ArrayList<>(); |
|
for (HttpCookie cookie : cookies) { |
|
// Netscape cookie spec and RFC 2965 have different format of Cookie |
|
// header; RFC 2965 requires a leading $Version="1" string while Netscape |
|
// does not. |
|
// The workaround here is to add a $Version="1" string in advance |
|
if (cookies.indexOf(cookie) == 0 && cookie.getVersion() > 0) { |
|
cookieHeader.add("$Version=\"1\""); |
|
} |
|
cookieHeader.add(cookie.toString()); |
|
} |
|
return cookieHeader; |
|
} |
|
static class CookiePathComparator implements Comparator<HttpCookie> { |
|
public int compare(HttpCookie c1, HttpCookie c2) { |
|
if (c1 == c2) return 0; |
|
if (c1 == null) return -1; |
|
if (c2 == null) return 1; |
|
// path rule only applies to the cookies with same name |
|
if (!c1.getName().equals(c2.getName())) return 0; |
|
// those with more specific Path attributes precede those with less specific |
|
if (c1.getPath().startsWith(c2.getPath())) |
|
return -1; |
|
else if (c2.getPath().startsWith(c1.getPath())) |
|
return 1; |
|
else |
|
return 0; |
|
} |
|
} |
|
} |