preserveCookiePath configuration parameter support added. (#231)

mitre · Aug 16, 2022 · 5317093 · 5317093
1 parent 7ad6d44
commit 5317093
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,6 +1,6 @@
 # Version 1.13 (unreleased)
 
-_(no changes)_
+\#231: Added support of preserveCookiePath configuration parameter. It allows to keep cookie path unchanged in Set-Cookie server response header.
 
 # Version 1.12.1 released on 2021-12-28
 

diff --git a/README.md b/README.md
@@ -72,6 +72,7 @@ The following is a list of parameters that can be configured
 + forwardip: A boolean parameter name to enable forwarding of the client IP
 + preserveHost: A boolean parameter name to keep HOST parameter as-is  
 + preserveCookies: A boolean parameter name to keep COOKIES as-is
++ preserveCookiePath: A boolean parameter name to keep cookie path unchanged in Set-Cookie server response header
 + http.protocol.handle-redirects: A boolean parameter name to have auto-handle redirects
 + http.socket.timeout: A integer parameter name to set the socket connection timeout (millis)
 + http.read.timeout: A integer parameter name to set the socket read timeout (millis)

diff --git a/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java b/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java
@@ -84,6 +84,9 @@ public class ProxyServlet extends HttpServlet {
   /** A boolean parameter name to keep COOKIES as-is  */
   public static final String P_PRESERVECOOKIES = "preserveCookies";
 
+  /** A boolean parameter name to keep COOKIE path as-is  */
+  public static final String P_PRESERVECOOKIEPATH = "preserveCookiePath";
+
   /** A boolean parameter name to have auto-handle redirects */
   public static final String P_HANDLEREDIRECTS = "http.protocol.handle-redirects"; // ClientPNames.HANDLE_REDIRECTS
 
@@ -121,6 +124,7 @@ public class ProxyServlet extends HttpServlet {
   protected boolean doSendUrlFragment = true;
   protected boolean doPreserveHost = false;
   protected boolean doPreserveCookies = false;
+  protected boolean doPreserveCookiePath = false;
   protected boolean doHandleRedirects = false;
   protected boolean useSystemProperties = true;
   protected boolean doHandleCompression = false;
@@ -182,6 +186,11 @@ public void init() throws ServletException {
       this.doPreserveCookies = Boolean.parseBoolean(preserveCookiesString);
     }
 
+    String preserveCookiePathString = getConfigParam(P_PRESERVECOOKIEPATH);
+    if (preserveCookiePathString != null) {
+      this.doPreserveCookiePath = Boolean.parseBoolean(preserveCookiePathString);
+    }
+
     String handleRedirectsString = getConfigParam(P_HANDLEREDIRECTS);
     if (handleRedirectsString != null) {
       this.doHandleRedirects = Boolean.parseBoolean(handleRedirectsString);
@@ -590,7 +599,10 @@ protected void copyProxyCookie(HttpServletRequest servletRequest,
   protected Cookie createProxyCookie(HttpServletRequest servletRequest, HttpCookie cookie) {
     String proxyCookieName = getProxyCookieName(cookie);
     Cookie servletCookie = new Cookie(proxyCookieName, cookie.getValue());
-    servletCookie.setPath(buildProxyCookiePath(servletRequest)); //set to the path of the proxy servlet
+    servletCookie.setPath(this.doPreserveCookiePath ?
+       cookie.getPath() : // preserve original cookie path
+       buildProxyCookiePath(servletRequest) //set to the path of the proxy servlet
+    );
     servletCookie.setComment(cookie.getComment());
     servletCookie.setMaxAge((int) cookie.getMaxAge());
     // don't set cookie domain

diff --git a/src/test/java/org/mitre/dsmiley/httpproxy/ProxyServletTest.java b/src/test/java/org/mitre/dsmiley/httpproxy/ProxyServletTest.java
@@ -402,6 +402,35 @@ public void handle(HttpRequest request, HttpResponse response, HttpContext conte
     assertEquals("JSESSIONID=1234; COOKIE2=567", captureCookieValue.toString());
   }
 
+  @Test
+  public void testPreserveCookiePath() throws Exception {
+    servletRunner = new ServletRunner();
+
+    Properties servletProps = new Properties();
+    servletProps.setProperty("http.protocol.handle-redirects", "false");
+    servletProps.setProperty(ProxyServlet.P_LOG, "true");
+    servletProps.setProperty(ProxyServlet.P_FORWARDEDFOR, "true");
+    servletProps.setProperty(ProxyServlet.P_PRESERVECOOKIES, "true");
+    servletProps.setProperty(ProxyServlet.P_PRESERVECOOKIEPATH, "true");
+    setUpServlet(servletProps);
+
+    sc = servletRunner.newClient();
+    sc.getClientProperties().setAutoRedirect(false);//don't want httpunit itself to redirect
+
+    final String HEADER = "Set-Cookie";
+    localTestServer.register("/targetPath*", new RequestInfoHandler() {
+      public void handle(HttpRequest request, HttpResponse response, HttpContext context) throws HttpException, IOException {
+        response.setHeader(HEADER, "JSESSIONID=1234; Path=/proxy/path/that/we/want; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Domain=.foo.bar.com; HttpOnly");
+        super.handle(request, response, context);
+      }
+    });
+
+    GetMethodWebRequest req = makeGetMethodRequest(sourceBaseUri);
+    WebResponse rsp = execAndAssert(req, "");
+    // note httpunit doesn't set all cookie fields, ignores max-agent, secure, etc.
+    assertEquals("JSESSIONID=1234;path=/proxy/path/that/we/want", rsp.getHeaderField(HEADER));
+  }
+
   /**
    * If we're proxying a remote service that tries to set cookies, we need to make sure the cookies are not captured
    * by the httpclient in the ProxyServlet, otherwise later requests from ALL users will all access the remote proxy