Add options to configure Web session cookie

Author: adrienlauer

CHANGELOG.md

@@ -1,9 +1,14 @@
 # Version 3.10.0 (2019-04-30)
 
 * [new] Support JSR-250 `@PostConstruct` and `@PreDestroy` annotations on singletons (in addition to AutoCloseable `close()` method).
-* [new] New `SeedInterceptor` API to declare method interceptors without coupling to Guice implementation.
+* [new] Add `SeedInterceptor` API to declare method interceptors without coupling to Guice implementation.
+* [new] Add `web.sessions.cookie` configuration options to set Web session cookie details.
+* [chg] Moved `web.server.sessions` configuration options to `web.sessions`. 
+* [chg] Default session timeout with embedded servers is now defined by the `web.server.` configuration options to `web.sessions`. 
+* [chg] Renamed `web.staticResources` configuration options to `web.static`.
 * [fix] Ensure that JVM-wide base configuration is refreshed between tests.
 * [fix] With Jersey 2, allow JAX-RS components to be instantiated without Guice as a fallback.
+* [fix] Default session timeout for Undertow was incorrect. It is now 20 minutes.
 
 # Version 3.9.1 (2019-12-17)
 

pom.xml

@@ -215,6 +215,7 @@
                                 <exclude>org.seedstack.seed.spi.DependencyProvider</exclude>
                                 <exclude>org.seedstack.seed.web.spi.AntiXsrfService</exclude>
                                 <exclude>org.seedstack.seed.crypto.CryptoConfig</exclude>
+                                <exclude>org.seedstack.seed.web.WebConfig</exclude>
                             </excludes>
                         </parameter>
                     </configuration>

web/core/src/main/java/org/seedstack/seed/web/internal/SeedServletContainerInitializer.java

@@ -5,10 +5,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.web.internal;
 
-import static java.util.EnumSet.of;
-import static javax.servlet.SessionTrackingMode.valueOf;
 import static org.seedstack.seed.web.internal.ServletContextUtils.INJECTOR_ATTRIBUTE_NAME;
 import static org.seedstack.seed.web.internal.ServletContextUtils.KERNEL_ATTRIBUTE_NAME;
 
@@ -17,12 +16,13 @@
 import io.nuun.kernel.api.config.KernelConfiguration;
 import io.nuun.kernel.core.NuunCore;
 import java.util.Enumeration;
+import java.util.Optional;
 import java.util.Set;
 import javax.servlet.ServletContainerInitializer;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
-import javax.servlet.ServletException;
+import javax.servlet.SessionCookieConfig;
 import org.seedstack.seed.core.Seed;
 import org.seedstack.seed.web.WebConfig;
 import org.seedstack.shed.exception.BaseException;
@@ -31,9 +31,10 @@ public class SeedServletContainerInitializer implements ServletContainerInitiali
     private Kernel kernel;
 
     @Override
-    public void onStartup(Set<Class<?>> classes, ServletContext servletContext) throws ServletException {
+    public void onStartup(Set<Class<?>> classes, ServletContext servletContext) {
         WebConfig webConfig = Seed.baseConfiguration().get(WebConfig.class);
-        servletContext.setSessionTrackingModes(of(valueOf(webConfig.getSessionTrackingMode().name())));
+        servletContext.setSessionTrackingModes(webConfig.sessions().getTrackingModes());
+        copyConfig(webConfig.sessions().cookie(), servletContext.getSessionCookieConfig());
 
         try {
             kernel = Seed.createKernel(servletContext, buildKernelConfiguration(servletContext), true);
@@ -90,4 +91,14 @@ private void handleException(Exception e) throws BaseException {
         }
         throw translated;
     }
+
+    private void copyConfig(WebConfig.SessionsConfig.CookieConfig src, SessionCookieConfig dest) {
+        Optional.ofNullable(src.getComment()).ifPresent(dest::setComment);
+        Optional.ofNullable(src.getDomain()).ifPresent(dest::setDomain);
+        Optional.ofNullable(src.getName()).ifPresent(dest::setName);
+        Optional.ofNullable(src.getPath()).ifPresent(dest::setPath);
+        dest.setHttpOnly(src.isHttpOnly());
+        dest.setSecure(src.isSecure());
+        dest.setMaxAge(src.getMaxAge());
+    }
 }

web/core/src/test/java/org/seedstack/seed/web/ServletIT.java

@@ -5,9 +5,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.web;
 
 import io.restassured.RestAssured;
+import io.restassured.matcher.RestAssuredMatchers;
 import java.net.URL;
 import org.assertj.core.api.Assertions;
 import org.hamcrest.Matchers;
@@ -17,7 +19,6 @@
 import org.jboss.arquillian.test.api.ArquillianResource;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.seedstack.seed.web.fixtures.servlet.TestFilter;
@@ -99,4 +100,18 @@ public void filterParamsAreCorrectlyInitialized() {
                 .when()
                 .get(baseUrl + "testFilter1");
     }
+
+    @Test
+    @RunAsClient
+    public void sessionCookieConfigIsHonored() {
+        RestAssured.expect()
+                .statusCode(200)
+                .cookie("CUSTOM_SESSION_ID", RestAssuredMatchers.detailedCookie()
+                        .maxAge(15)
+                        .comment("Custom")
+                        .httpOnly(true)
+                )
+                .when()
+                .get(baseUrl + "sessionTest");
+    }
 }

web/core/src/test/java/org/seedstack/seed/web/fixtures/servlet/SessionTestServlet.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright © 2013-2020, The SeedStack authors <http://seedstack.org>
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.seedstack.seed.web.fixtures.servlet;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value = "/sessionTest")
+public class SessionTestServlet extends HttpServlet {
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
+        req.getSession(true).setAttribute("test", "test");
+    }
+}

web/core/src/test/resources/application.yaml

@@ -7,6 +7,12 @@
 #
 
 web:
+  sessions:
+    cookie:
+      comment: Custom
+      name: CUSTOM_SESSION_ID
+      httpOnly: true
+      maxAge: 15
   cors:
     enabled: true
     properties:

web/specs/src/main/java/org/seedstack/seed/web/WebConfig.java

@@ -5,13 +5,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.web;
 
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import javax.servlet.SessionTrackingMode;
 import javax.validation.constraints.Max;
 import javax.validation.constraints.Min;
 import org.seedstack.coffig.Config;
@@ -20,11 +24,28 @@
 
 @Config("web")
 public class WebConfig {
-    private boolean requestDiagnostic;
-    private SessionTrackingMode sessionTrackingMode = SessionTrackingMode.COOKIE;
+    private SessionsConfig sessions = new SessionsConfig();
+    @Config("static")
     private StaticResourcesConfig staticResources = new StaticResourcesConfig();
     private CORSConfig cors = new CORSConfig();
-    private ServerConfig serverConfig = new ServerConfig();
+    private ServerConfig server = new ServerConfig();
+    private boolean requestDiagnostic;
+
+    public SessionsConfig sessions() {
+        return sessions;
+    }
+
+    public StaticResourcesConfig staticResources() {
+        return staticResources;
+    }
+
+    public CORSConfig cors() {
+        return cors;
+    }
+
+    public ServerConfig server() {
+        return server;
+    }
 
     public boolean isRequestDiagnosticEnabled() {
         return requestDiagnostic;
@@ -35,31 +56,102 @@ public WebConfig setRequestDiagnostic(boolean requestDiagnostic) {
         return this;
     }
 
-    public SessionTrackingMode getSessionTrackingMode() {
-        return sessionTrackingMode;
-    }
+    @Config("sessions")
+    public static class SessionsConfig {
+        private Set<SessionTrackingMode> trackingModes;
+        private CookieConfig cookie = new CookieConfig();
 
-    public WebConfig setSessionTrackingMode(SessionTrackingMode sessionTrackingMode) {
-        this.sessionTrackingMode = sessionTrackingMode;
-        return this;
-    }
+        public SessionsConfig() {
+            trackingModes = new HashSet<>();
+            trackingModes.add(SessionTrackingMode.COOKIE);
+        }
 
-    public StaticResourcesConfig staticResources() {
-        return staticResources;
-    }
+        public Set<javax.servlet.SessionTrackingMode> getTrackingModes() {
+            return trackingModes;
+        }
 
-    public CORSConfig cors() {
-        return cors;
-    }
+        public SessionsConfig setTrackingModes(Set<javax.servlet.SessionTrackingMode> trackingModes) {
+            this.trackingModes = trackingModes;
+            return this;
+        }
 
-    public ServerConfig serverConfig() {
-        return serverConfig;
-    }
+        public CookieConfig cookie() {
+            return cookie;
+        }
+
+        @Config("cookie")
+        public static class CookieConfig {
+            private boolean httpOnly = false;
+            private boolean secure = false;
+            private int maxAge = -1;
+            private String comment;
+            private String domain;
+            private String name;
+            private String path;
+
+            public boolean isHttpOnly() {
+                return httpOnly;
+            }
+
+            public CookieConfig setHttpOnly(boolean httpOnly) {
+                this.httpOnly = httpOnly;
+                return this;
+            }
+
+            public boolean isSecure() {
+                return secure;
+            }
+
+            public CookieConfig setSecure(boolean secure) {
+                this.secure = secure;
+                return this;
+            }
+
+            public int getMaxAge() {
+                return maxAge;
+            }
+
+            public CookieConfig setMaxAge(int maxAge) {
+                this.maxAge = maxAge;
+                return this;
+            }
+
+            public String getComment() {
+                return comment;
+            }
+
+            public CookieConfig setComment(String comment) {
+                this.comment = comment;
+                return this;
+            }
+
+            public String getDomain() {
+                return domain;
+            }
+
+            public CookieConfig setDomain(String domain) {
+                this.domain = domain;
+                return this;
+            }
 
-    public enum SessionTrackingMode {
-        COOKIE,
-        SSL,
-        URL
+            public String getName() {
+                return name;
+            }
+
+            public CookieConfig setName(String name) {
+                this.name = name;
+                return this;
+            }
+
+            public String getPath() {
+                return path;
+            }
+
+            public CookieConfig setPath(String path) {
+                this.path = path;
+                return this;
+            }
+        }
     }
 
     @Config("cors")
@@ -168,7 +260,6 @@ public static class ServerConfig {
         private static final String DEFAULT_WELCOME_FILE = "index.html";
         private static final boolean DEFAULT_PREFER_HTTPS = true;
 
-        private SessionsConfig sessions = new SessionsConfig();
         private WebSocketConfig websocket = new WebSocketConfig();
         private String host = DEFAULT_HOST;
         @SingleValue
@@ -187,15 +278,12 @@ public static class ServerConfig {
         private boolean preferHttps = DEFAULT_PREFER_HTTPS;
         private List<String> welcomeFiles = new ArrayList<>();
         private List<ErrorPage> errorPages = new ArrayList<>();
+        private int defaultSessionTimeout = 60 * 20;
 
         public ServerConfig() {
             addWelcomeFile(DEFAULT_WELCOME_FILE);
         }
 
-        public SessionsConfig sessions() {
-            return sessions;
-        }
-
         public WebSocketConfig webSocket() {
             return websocket;
         }
@@ -307,20 +395,13 @@ public ServerConfig addErrorPage(ErrorPage errorPage) {
             return this;
         }
 
-        @Config("sessions")
-        public static class SessionsConfig {
-            private static final int DEFAULT_SESSION_TIMEOUT = 1000 * 60 * 15;
-            @SingleValue
-            private int timeout = DEFAULT_SESSION_TIMEOUT;
-
-            public int getTimeout() {
-                return timeout;
-            }
+        public int getDefaultSessionTimeout() {
+            return defaultSessionTimeout;
+        }
 
-            public SessionsConfig setTimeout(int timeout) {
-                this.timeout = timeout;
-                return this;
-            }
+        public ServerConfig setDefaultSessionTimeout(int defaultSessionTimeout) {
+            this.defaultSessionTimeout = defaultSessionTimeout;
+            return this;
         }
 
         @Config("websocket")

web/undertow/src/main/java/org/seedstack/seed/undertow/internal/DeploymentManagerFactory.java

@@ -5,6 +5,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.undertow.internal;
 
 import static org.seedstack.shed.ClassLoaders.findMostCompleteClassLoader;
@@ -70,7 +71,7 @@ private DeploymentInfo configureDeploymentInfo() {
                 .setClassLoader(mostCompleteClassLoader)
                 .setDeploymentName(applicationConfig.getId())
                 .setDisplayName(applicationConfig.getName())
-                .setDefaultSessionTimeout(serverConfig.sessions().getTimeout())
+                .setDefaultSessionTimeout(serverConfig.getDefaultSessionTimeout())
                 .setResourceManager(new ClassPathResourceManager(mostCompleteClassLoader, META_INF_RESOURCES))
                 .addWelcomePages(serverConfig.getWelcomeFiles())
                 .addErrorPages(buildUndertowErrorPages(serverConfig.getErrorPages()))