Merge pull request #164 from ooknight/dev

增加Cookie安全性,支持设置Cookie的HttpOnly和Secure属性
2024-11-30 02:48:10 +08:00 · 2021-09-27 01:21:59 +08:00 · 2021-09-27 01:21:59 +08:00 · 022e286904
commit 022e286904
parent 4fb1ea96fb 7acf5e9790
6 changed files with 70 additions and 25 deletions
--- a/sa-token-core/src/main/java/cn/dev33/satoken/config/SaTokenConfig.java
+++ b/sa-token-core/src/main/java/cn/dev33/satoken/config/SaTokenConfig.java
@ -41,6 +41,12 @@ public class SaTokenConfig implements Serializable {
 	/** 是否尝试从cookie里读取token */
 	private Boolean isReadCookie = true;

+	/** 使用Cookie时,是否为HttpOnly */
+	private Boolean isCookieHttpOnly = false;
+
+	/** 使用Cookie时,是否为Secure */
+	private Boolean isCookieSecure = false;
+
 	/** token风格(默认可取值：uuid、simple-uuid、random-32、random-64、random-128、tik) */
 	private String tokenStyle = "uuid";

@ -220,6 +226,38 @@ public class SaTokenConfig implements Serializable {
 		return this;
 	}

+	/**
+	 * @return 使用Cookie时,是否为HttpOnly
+	 */
+	public Boolean getIsCookieHttpOnly() {
+		return isCookieHttpOnly;
+	}
+
+	/**
+	 * @param isCookieHttpOnly 使用Cookie时,是否为HttpOnly
+	 * @return 对象自身
+	 */
+	public SaTokenConfig setIsCookieHttpOnly(Boolean isCookieHttpOnly) {
+		this.isCookieHttpOnly = isCookieHttpOnly;
+		return this;
+	}
+
+	/**
+	 * @return 使用Cookie时,是否为Secure
+	 */
+	public Boolean getIsCookieSecure() {
+		return isCookieSecure;
+	}
+
+	/**
+	 * @param isCookieSecure 使用Cookie时,是否为Secure
+	 * @return 对象自身
+	 */
+	public SaTokenConfig setIsCookieSecure(Boolean isCookieSecure) {
+		this.isCookieSecure = isCookieSecure;
+		return this;
+	}
+
 	/**
 	 * @return token风格(默认可取值：uuid、simple-uuid、random-32、random-64、random-128、tik)
 	 */
@ -433,7 +471,9 @@ public class SaTokenConfig implements Serializable {
 	public String toString() {
 		return "SaTokenConfig [tokenName=" + tokenName + ", timeout=" + timeout + ", activityTimeout=" + activityTimeout
 				+ ", isConcurrent=" + isConcurrent + ", isShare=" + isShare + ", isReadBody=" + isReadBody
-				+ ", isReadHead=" + isReadHead + ", isReadCookie=" + isReadCookie + ", tokenStyle=" + tokenStyle
+				+ ", isReadHead=" + isReadHead + ", isReadCookie=" + isReadCookie
+				+ ", isCookieHttpOnly=" + isCookieHttpOnly + ", isCookieSecure=" + isCookieSecure
+				+ ", tokenStyle=" + tokenStyle
 				+ ", dataRefreshPeriod=" + dataRefreshPeriod + ", tokenSessionCheckLogin=" + tokenSessionCheckLogin
 				+ ", autoRenew=" + autoRenew + ", cookieDomain=" + cookieDomain + ", tokenPrefix=" + tokenPrefix
 				+ ", isPrint=" + isPrint + ", isLog=" + isLog + ", jwtSecretKey=" + jwtSecretKey + ", idTokenTimeout="
--- a/sa-token-core/src/main/java/cn/dev33/satoken/context/model/SaResponse.java
+++ b/sa-token-core/src/main/java/cn/dev33/satoken/context/model/SaResponse.java
@ -18,21 +18,23 @@ public interface SaResponse {
 	 * @param name Cookie名称
 	 */
 	public void deleteCookie(String name);
-	
+
 	/**
-	 * 写入指定Cookie 
+	 * 写入指定Cookie
 	 * @param name     Cookie名称
 	 * @param value    Cookie值
 	 * @param path     Cookie路径
 	 * @param domain   Cookie的作用域
 	 * @param timeout  过期时间 （秒）
+	 * @param isHttpOnly 是否为HttpOnly
+	 * @param isSecure 是否为Secure
 	 */
-	public void addCookie(String name, String value, String path, String domain, int timeout);
+	public void addCookie(String name, String value, String path, String domain, int timeout, boolean isHttpOnly, boolean isSecure);

 	/**
-	 * 设置响应状态码 
+	 * 设置响应状态码
 	 * @param sc 响应状态码
-	 * @return 对象自身 
+	 * @return 对象自身
 	 */
 	public SaResponse setStatus(int sc);
 	
--- a/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java
+++ b/sa-token-core/src/main/java/cn/dev33/satoken/stp/StpLogic.java
@ -109,9 +109,9 @@ public class StpLogic {
 		}
 		
 		// 注入Cookie 
-		if(config.getIsReadCookie()){
+		if (config.getIsReadCookie()) {
 			SaResponse response = SaHolder.getResponse();
-			response.addCookie(getTokenName(), tokenValue, "/", config.getCookieDomain(), cookieTimeout);
+			response.addCookie(getTokenName(), tokenValue, "/", config.getCookieDomain(), cookieTimeout, config.getIsCookieHttpOnly(), config.getIsCookieSecure());
 		}
 	}
 	
--- a/sa-token-starter/sa-token-reactor-spring-boot-starter/src/main/java/cn/dev33/satoken/reactor/model/SaResponseForReactor.java
+++ b/sa-token-starter/sa-token-reactor-spring-boot-starter/src/main/java/cn/dev33/satoken/reactor/model/SaResponseForReactor.java
@ -43,34 +43,35 @@ public class SaResponseForReactor implements SaResponse {
 	 */
 	@Override
 	public void deleteCookie(String name) {
-		addCookie(name, null, null, null, 0);
+		addCookie(name, null, null, null, 0, false, false);
 	}

 	/**
-	 * 写入指定Cookie 
+	 * 写入指定Cookie
 	 */
 	@Override
-	public void addCookie(String name, String value, String path, String domain, int timeout) {
-		
+	public void addCookie(String name, String value, String path, String domain, int timeout, boolean isHttpOnly, boolean isSecure) {
 		// 构建CookieBuilder
 		ResponseCookieBuilder builder = ResponseCookie.from(name, value)
-				.domain(domain)
-				.path(path)
-				.maxAge(timeout)
+			    .domain(domain)
+			    .path(path)
+			    .maxAge(timeout)
+			    .httpOnly(isHttpOnly)
+			    .secure(isHttpOnly)
 				;
-		
-		// set path 
+
+		// set path
 		if(SaFoxUtil.isEmpty(path) == true) {
 			path = "/";
 		}
 		builder.path(path);
-		
-		// set domain 
+
+		// set domain
 		if(SaFoxUtil.isEmpty(domain) == false) {
 			builder.domain(domain);
 		}
-		
-		// 写入Cookie 
+
+		// 写入Cookie
 		response.addCookie(builder.build());
 	}

--- a/sa-token-starter/sa-token-servlet/src/main/java/cn/dev33/satoken/servlet/model/SaResponseForServlet.java
+++ b/sa-token-starter/sa-token-servlet/src/main/java/cn/dev33/satoken/servlet/model/SaResponseForServlet.java
@ -42,14 +42,14 @@ public class SaResponseForServlet implements SaResponse {
 	 */
 	@Override
 	public void deleteCookie(String name) {
-		addCookie(name, null, null, null, 0);
+		addCookie(name, null, null, null, 0, false, false);
 	}

 	/**
-	 * 写入指定Cookie 
+	 * 写入指定Cookie
 	 */
 	@Override
-	public void addCookie(String name, String value, String path, String domain, int timeout) {
+	public void addCookie(String name, String value, String path, String domain, int timeout, boolean isHttpOnly, boolean isSecure) {
 		Cookie cookie = new Cookie(name, value);
 		if(SaFoxUtil.isEmpty(path) == true) {
 			path = "/";
@ -59,6 +59,8 @@ public class SaResponseForServlet implements SaResponse {
 		}
 		cookie.setPath(path);
 		cookie.setMaxAge(timeout);
+		cookie.setHttpOnly(isHttpOnly);
+		cookie.setSecure(isSecure);
 		response.addCookie(cookie);
 	}

--- a/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/model/SaResponseForSolon.java
+++ b/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/model/SaResponseForSolon.java
@ -28,7 +28,7 @@ public class SaResponseForSolon implements SaResponse {
    }

    @Override
-    public void addCookie(String name, String value, String path, String domain, int timeout) {
+    public void addCookie(String name, String value, String path, String domain, int timeout, boolean isHttpOnly, boolean isSecure) {
        if (Utils.isNotEmpty(path)) {
            path = "/";
        }