Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1

Closes gh-12146 Closes gh-12148
2026-05-22 21:33:16 +00:00 · 2022-11-07 13:43:26 -03:00
parent 9e628fb75b
commit 3b5d19c8a4
14 changed files with 59 additions and 142 deletions
@@ -105,14 +105,6 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommit
 		this.contextSaved = true;
 	}

-	@Override
-	public final String encodeRedirectUrl(String url) {
-		if (this.disableUrlRewriting) {
-			return url;
-		}
-		return super.encodeRedirectUrl(url);
-	}
-
 	@Override
 	public final String encodeRedirectURL(String url) {
 		if (this.disableUrlRewriting) {
@@ -121,14 +113,6 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommit
 		return super.encodeRedirectURL(url);
 	}

-	@Override
-	public final String encodeUrl(String url) {
-		if (this.disableUrlRewriting) {
-			return url;
-		}
-		return super.encodeUrl(url);
-	}
-
 	@Override
 	public final String encodeURL(String url) {
 		if (this.disableUrlRewriting) {
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -51,7 +51,8 @@ class CookieDeserializer extends JsonDeserializer<Cookie> {
 		cookie.setSecure(readJsonNode(jsonNode, "secure").asBoolean());
 		cookie.setVersion(readJsonNode(jsonNode, "version").asInt());
 		cookie.setPath(readJsonNode(jsonNode, "path").asText());
-		cookie.setHttpOnly(readJsonNode(jsonNode, "httpOnly").asBoolean());
+		JsonNode attributes = readJsonNode(jsonNode, "attributes");
+		cookie.setHttpOnly(readJsonNode(attributes, "HttpOnly").asBoolean());
 		return cookie;
 	}

@@ -61,21 +61,11 @@ public class DisableEncodeUrlFilter extends OncePerRequestFilter {
 			super(response);
 		}

-		@Override
-		public String encodeRedirectUrl(String url) {
-			return url;
-		}
-
 		@Override
 		public String encodeRedirectURL(String url) {
 			return url;
 		}

-		@Override
-		public String encodeUrl(String url) {
-			return url;
-		}
-
 		@Override
 		public String encodeURL(String url) {
 			return url;
@@ -362,28 +362,6 @@ public class AbstractRememberMeServicesTests {
 		assertThat(cookie.isHttpOnly()).isTrue();
 	}

-	// SEC-2791
-	@Test
-	public void setCookieMaxAge0VersionSet() {
-		MockRememberMeServices services = new MockRememberMeServices();
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		services.setCookie(new String[] { "value" }, 0, request, response);
-		Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
-		assertThat(cookie.getVersion()).isEqualTo(1);
-	}
-
-	// SEC-2791
-	@Test
-	public void setCookieMaxAgeNegativeVersionSet() {
-		MockRememberMeServices services = new MockRememberMeServices();
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		services.setCookie(new String[] { "value" }, -1, request, response);
-		Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
-		assertThat(cookie.getVersion()).isEqualTo(1);
-	}
-
 	// SEC-2791
 	@Test
 	public void setCookieMaxAge1VersionSet() {
@@ -540,21 +540,11 @@ public class HttpSessionSecurityContextRepositoryTests {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		final String sessionId = ";jsessionid=id";
 		MockHttpServletResponse response = new MockHttpServletResponse() {
-			@Override
-			public String encodeRedirectUrl(String url) {
-				return url + sessionId;
-			}
-
 			@Override
 			public String encodeRedirectURL(String url) {
 				return url + sessionId;
 			}

-			@Override
-			public String encodeUrl(String url) {
-				return url + sessionId;
-			}
-
 			@Override
 			public String encodeURL(String url) {
 				return url + sessionId;
@@ -563,16 +553,12 @@ public class HttpSessionSecurityContextRepositoryTests {
 		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
 		repo.loadContext(holder);
 		String url = "/aUrl";
-		assertThat(holder.getResponse().encodeRedirectUrl(url)).isEqualTo(url + sessionId);
 		assertThat(holder.getResponse().encodeRedirectURL(url)).isEqualTo(url + sessionId);
-		assertThat(holder.getResponse().encodeUrl(url)).isEqualTo(url + sessionId);
 		assertThat(holder.getResponse().encodeURL(url)).isEqualTo(url + sessionId);
 		repo.setDisableUrlRewriting(true);
 		holder = new HttpRequestResponseHolder(request, response);
 		repo.loadContext(holder);
-		assertThat(holder.getResponse().encodeRedirectUrl(url)).isEqualTo(url);
 		assertThat(holder.getResponse().encodeRedirectURL(url)).isEqualTo(url);
-		assertThat(holder.getResponse().encodeUrl(url)).isEqualTo(url);
 		assertThat(holder.getResponse().encodeURL(url)).isEqualTo(url);
 	}

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -140,14 +140,6 @@ public class FirewalledResponseTests {
 				.withMessageContaining(CRLF_MESSAGE);
 	}

-	@Test
-	public void addCookieWhenCookieCommentContainsCrlfThenException() {
-		Cookie cookie = new Cookie("foo", "bar");
-		cookie.setComment("foo\r\nbar");
-		assertThatIllegalArgumentException().isThrownBy(() -> this.fwResponse.addCookie(cookie))
-				.withMessageContaining(CRLF_MESSAGE);
-	}
-
 	@Test
 	public void rejectAnyLineEndingInNameAndValue() {
 		validateLineEnding("foo", "foo\rbar");
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -33,19 +33,35 @@ import static org.assertj.core.api.Assertions.assertThat;
 public class CookieMixinTests extends AbstractMixinTests {

 	// @formatter:off
-	private static final String COOKIE_JSON = "{"
-		+ "\"@class\": \"jakarta.servlet.http.Cookie\", "
-		+ "\"name\": \"demo\", "
-		+ "\"value\": \"cookie1\","
-		+ "\"comment\": null, "
-		+ "\"maxAge\": -1, "
-		+ "\"path\": null, "
-		+ "\"secure\": false, "
-		+ "\"version\": 0, "
-		+ "\"isHttpOnly\": false, "
-		+ "\"domain\": null"
-	+ "}";
+	private static final String COOKIE_JSON = "{" +
+		"	\"@class\": \"jakarta.servlet.http.Cookie\"," +
+		"	\"name\": \"demo\"," +
+		"	\"value\": \"cookie1\"," +
+		"	\"attributes\":{\"@class\":\"java.util.Collections$EmptyMap\"}," +
+		"	\"comment\": null," +
+		"	\"maxAge\": -1," +
+		"	\"path\": null," +
+		"	\"secure\": false," +
+		"	\"version\": 0," +
+		"	\"domain\": null" +
+		"}";
 	// @formatter:on
+
+	// @formatter:off
+	private static final String COOKIE_HTTP_ONLY_JSON = "{" +
+		"	\"@class\": \"jakarta.servlet.http.Cookie\"," +
+		"	\"name\": \"demo\"," +
+		"	\"value\": \"cookie1\"," +
+		"	\"attributes\":{\"@class\":\"java.util.Collections$UnmodifiableMap\", \"HttpOnly\": \"true\"}," +
+		"	\"comment\": null," +
+		"	\"maxAge\": -1," +
+		"	\"path\": null," +
+		"	\"secure\": false," +
+		"	\"version\": 0," +
+		"	\"domain\": null" +
+		"}";
+	// @formatter:on
+
 	@Test
 	public void serializeCookie() throws JsonProcessingException, JSONException {
 		Cookie cookie = new Cookie("demo", "cookie1");
@@ -59,7 +75,23 @@ public class CookieMixinTests extends AbstractMixinTests {
 		assertThat(cookie).isNotNull();
 		assertThat(cookie.getName()).isEqualTo("demo");
 		assertThat(cookie.getDomain()).isEqualTo("");
-		assertThat(cookie.isHttpOnly()).isEqualTo(false);
+	}
+
+	@Test
+	public void serializeCookieWithHttpOnly() throws JsonProcessingException, JSONException {
+		Cookie cookie = new Cookie("demo", "cookie1");
+		cookie.setHttpOnly(true);
+		String actualString = this.mapper.writeValueAsString(cookie);
+		JSONAssert.assertEquals(COOKIE_HTTP_ONLY_JSON, actualString, true);
+	}
+
+	@Test
+	public void deserializeCookieWithHttpOnly() throws IOException {
+		Cookie cookie = this.mapper.readValue(COOKIE_HTTP_ONLY_JSON, Cookie.class);
+		assertThat(cookie).isNotNull();
+		assertThat(cookie.getName()).isEqualTo("demo");
+		assertThat(cookie.getDomain()).isEqualTo("");
+		assertThat(cookie.isHttpOnly()).isEqualTo(true);
 	}

 }
@@ -46,21 +46,11 @@ class DisableEncodeUrlFilterTests {
 		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeURL("/"));
 	}

-	@Test
-	void doFilterDisablesEncodeUrl() throws Exception {
-		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeUrl("/"));
-	}
-
 	@Test
 	void doFilterDisablesEncodeRedirectURL() throws Exception {
 		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeRedirectURL("/"));
 	}

-	@Test
-	void doFilterDisablesEncodeRedirectUrl() throws Exception {
-		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeRedirectUrl("/"));
-	}
-
 	private void verifyDoFilterDoesNotInteractWithResponse(Consumer<HttpServletResponse> toInvoke) throws Exception {
 		this.filter.doFilter(this.request, this.response, (request, response) -> {
 			HttpServletResponse httpResponse = (HttpServletResponse) response;