Skip to content

Commit

Permalink
Disable jsessionid URL rewriting by default
Browse files Browse the repository at this point in the history
This matches the default of the InvalidRequestFilter

Fixes: SHIRO-795
  • Loading branch information
bdemers committed Nov 4, 2020
1 parent 042c593 commit 5b1add9
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public class AbstractShiroWebConfiguration extends AbstractShiroConfiguration {
@Value("#{ @environment['shiro.sessionManager.sessionIdCookieEnabled'] ?: true }")
protected boolean sessionIdCookieEnabled;

@Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: true }")
@Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: false }")
protected boolean sessionIdUrlRewritingEnabled;

@Value("#{ @environment['shiro.userNativeSessionManager'] ?: false }")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ public DefaultWebSessionManager() {
cookie.setHttpOnly(true); //more secure, protects against XSS attacks
this.sessionIdCookie = cookie;
this.sessionIdCookieEnabled = true;
this.sessionIdUrlRewritingEnabled = true;
this.sessionIdUrlRewritingEnabled = false;
}

public Cookie getSessionIdCookie() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ public class DefaultWebSessionManagerTest {
ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.TRUE);
request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.FALSE);

replay(cookie);
replay(request);
Expand All @@ -147,6 +147,7 @@ public class DefaultWebSessionManagerTest {
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
mgr.setSessionIdUrlRewritingEnabled(true)

//we should not have any reads from the cookie fields - if we do, this test case will fail.

Expand Down Expand Up @@ -182,6 +183,7 @@ public class DefaultWebSessionManagerTest {
Cookie cookie = createMock(Cookie.class);
mgr.setSessionIdCookie(cookie);
mgr.setSessionIdCookieEnabled(false);
mgr.setSessionIdUrlRewritingEnabled(true)

//we should not have any reads from the cookie fields - if we do, this test case will fail.

Expand Down Expand Up @@ -218,6 +220,7 @@ public class DefaultWebSessionManagerTest {
public void testGetSessionIdFromRequestUriPathSegmentParam() {

mgr.setSessionIdCookieEnabled(false);
mgr.setSessionIdUrlRewritingEnabled(true)

HttpServletRequest request = createMock(HttpServletRequest.class);
HttpServletResponse response = createMock(HttpServletResponse.class);
Expand Down

0 comments on commit 5b1add9

Please sign in to comment.