Class CookieInterceptor
- All Implemented Interfaces:
Serializable,ConditionalInterceptor,Interceptor
The aim of this interceptor is to set values in the stack/action based on cookie name/value of interest.
If an asterisk is present in cookiesName parameter, it will be assume that all cookies name are to be injected into struts' action, even though cookiesName is comma-separated by other values, e.g. (cookie1,*,cookie2).
If cookiesName is left empty it will assume that no cookie will be injected into Struts' action.
If an asterisk is present in cookiesValue parameter, it will assume that all cookies name irrespective of its value will be injected into Struts' action so long as the cookie name matches those specified in cookiesName parameter.
If cookiesValue is left empty it will assume that all cookie that match the cookieName parameter will be injected into Struts' action.
The action could implement CookiesAware in order to have a Map
of filtered cookies set into it.
- cookiesName (mandatory) - Name of cookies to be injected into the action. If more than one cookie name is desired it could be comma-separated. If all cookies name is desired, it could simply be *, an asterik. When many cookies name are comma-separated either of the cookie that match the name in the comma-separated list will be qualified.
- cookiesValue (mandatory) - Value of cookies that if its name matches cookieName attribute and its value matched this, will be injected into Struts' action. If more than one cookie name is desired it could be comma-separated. If left empty, it will assume any value would be ok. If more than one value is specified (comma-separated) it will assume a match if either value is matched.
- acceptCookieNames (optional) - Pattern used to check if name of cookie matches the provided patter, to
-
populateCookieValueIntoStack(name, value, map, stack, action) - the preferred extension point
since 7.2.0. The default implementation gates the cookie write through
ParameterAuthorizerand primes the OGNL allowlist viaParameterAllowlisterbefore delegating to the legacy 4-argpopulateCookieValueIntoStack. Override here to customize the authorization behavior itself. -
populateCookieValueIntoStack(name, value, map, stack) - deprecated since 7.2.0. The legacy
hook that performs the actual
stack.setValue. Existing overrides continue to work and automatically receive only authorized cookies via the 5-arg default. -
injectIntoCookiesAwareAction - this method will inject selected cookies (as a java.util.Map)
into action that implements
CookiesAware.
<!--
This example will inject cookies named either 'cookie1' or 'cookie2' whose
value could be either 'cookie1value' or 'cookie2value' into Struts' action.
-->
<action ... >
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1, cookie2</param>
<param name="cookiesValue">cookie1value, cookie2value</param>
</interceptor-ref>
....
</action>
<!--
This example will inject cookies named either 'cookie1' or 'cookie2'
regardless of their value into Struts' action.
-->
<action ... >
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1, cookie2</param>
<param name="cookiesValue">*</param>
<interceptor-ref>
...
</action>
<!--
This example will inject cookies named either 'cookie1' with value
'cookie1value' or 'cookie2' with value 'cookie2value' into Struts'
action.
-->
<action ... >
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1</param>
<param name="cookiesValue">cookie1value</param>
</interceptor-ref>
<interceptor-ref name="cookie">
<param name="cookiesName"<cookie2</param>
<param name="cookiesValue">cookie2value</param>
</interceptor-ref>
....
</action>
<!--
This example will inject any cookies regardless of its value into
Struts' action.
-->
<action ... >
<interceptor-ref name="cookie">
<param name="cookiesName">*</param>
<param name="cookiesValue">*</param>
</interceptor-ref>
...
</action>
- See Also:
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voidinjectIntoCookiesAwareAction(Object action, Map<String, String> cookiesMap) intercept(ActionInvocation invocation) Override to handle interceptionprotected booleanisAcceptableName(String name) Checks if name of Cookie doesn't contain vulnerable codeprotected booleanisAccepted(String name) Checks if name/value of Cookie is acceptableprotected booleanisExcluded(String name) Checks if name/value of Cookie is excludedprotected voidpopulateCookieValueIntoStack(String cookieName, String cookieValue, Map<String, String> cookiesMap, ValueStack stack) Deprecated.since 7.2.0.protected voidpopulateCookieValueIntoStack(String cookieName, String cookieValue, Map<String, String> cookiesMap, ValueStack stack, Object action) Authorizes the cookie againstParameterAuthorizer, primes OGNL allowlist for any nested path viaParameterAllowlister, then delegates to the legacypopulateCookieValueIntoStack(String, String, Map, ValueStack)hook so existing subclass overrides continue to participate.voidsetAcceptCookieNames(String commaDelimitedPattern) Set theacceptCookieNamespattern of allowed names of cookies to protect against remote command execution vulnerability.voidsetAcceptedPatternsChecker(AcceptedPatternsChecker acceptedPatternsChecker) voidsetCookiesName(String cookiesName) voidsetCookiesValue(String cookiesValue) voidsetExcludedPatternsChecker(ExcludedPatternsChecker excludedPatternsChecker) voidsetParameterAllowlister(ParameterAllowlister parameterAllowlister) voidsetParameterAuthorizer(ParameterAuthorizer parameterAuthorizer) Methods inherited from class org.apache.struts2.interceptor.AbstractInterceptor
destroy, init, setDisabled, shouldIntercept
-
Constructor Details
-
CookieInterceptor
public CookieInterceptor()
-
-
Method Details
-
setExcludedPatternsChecker
-
setAcceptedPatternsChecker
-
setParameterAuthorizer
-
setParameterAllowlister
-
setCookiesName
- Parameters:
cookiesName- thecookiesNamewhich if matched will allow the cookie to be injected into action, could be comma-separated string.
-
setCookiesValue
- Parameters:
cookiesValue- thecookiesValuewhich if matched (together with matching cookiesName) will caused the cookie to be injected into action, could be comma-separated string.
-
setAcceptCookieNames
Set theacceptCookieNamespattern of allowed names of cookies to protect against remote command execution vulnerability.- Parameters:
commaDelimitedPattern- is used to check cookie name against, can set of comma delimited patterns
-
intercept
Description copied from class:AbstractInterceptorOverride to handle interception- Specified by:
interceptin interfaceInterceptor- Specified by:
interceptin classAbstractInterceptor- Parameters:
invocation- the action invocation- Returns:
- the return code, either returned from
ActionInvocation.invoke(), or from the interceptor itself. - Throws:
Exception- any system-level error, as defined inAction.execute().
-
isAcceptableName
Checks if name of Cookie doesn't contain vulnerable code- Parameters:
name- of Cookie- Returns:
- true|false
-
isAccepted
Checks if name/value of Cookie is acceptable- Parameters:
name- of Cookie- Returns:
- true|false
-
isExcluded
Checks if name/value of Cookie is excluded- Parameters:
name- of Cookie- Returns:
- true|false
-
populateCookieValueIntoStack
protected void populateCookieValueIntoStack(String cookieName, String cookieValue, Map<String, String> cookiesMap, ValueStack stack, Object action) Authorizes the cookie againstParameterAuthorizer, primes OGNL allowlist for any nested path viaParameterAllowlister, then delegates to the legacypopulateCookieValueIntoStack(String, String, Map, ValueStack)hook so existing subclass overrides continue to participate. Override this method to customize the authorization behavior itself.- Parameters:
cookieName- cookie name (potentially an OGNL path;ACCEPTED_PATTERNrestricts the character set)cookieValue- cookie valuecookiesMap- map of cookies populated forCookiesAwarestack- current request value stackaction- the action instance fromActionInvocation.getAction(); used for@StrutsParametertarget resolution- Since:
- 7.2.0
-
populateCookieValueIntoStack
@Deprecated(since="7.2.0") protected void populateCookieValueIntoStack(String cookieName, String cookieValue, Map<String, String> cookiesMap, ValueStack stack) Deprecated.since 7.2.0. OverridepopulateCookieValueIntoStack(String, String, Map, ValueStack, Object)instead so cookie writes are authorized byParameterAuthorizer. The default 5-arg implementation calls this method after the authorization gate, so existing overrides continue to receive only authorized cookies.Hook that populate cookie value into value stack (hence the action) if the criteria is satisfied (if the cookie value matches with those configured).- Parameters:
cookieName- cookie namecookieValue- cookie valuecookiesMap- map of cookiesstack- value stack
-
injectIntoCookiesAwareAction
- Parameters:
action- action objectcookiesMap- map of cookies
-