Example #1
0
  /**
   * Utility method to get the CustomerUuid from the browser cookie and create the cookie if it
   * doesn't exist.
   *
   * @param request
   * @param response
   * @param kkAppEng
   * @return Returns the CustomerUuid
   */
  private String getCustomerUuidFromBrowserCookie(
      HttpServletRequest request, HttpServletResponse response, KKAppEng kkAppEng) {
    Cookie[] cookies = null;
    if (kkAppEng.isPortlet()) {
      cookies = PortletActionContext.getRenderRequest().getCookies();
    } else {
      cookies = request.getCookies();
    }

    /*
     * Try to find the cookie we are looking for
     */
    String uuid = null;
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++) {
        Cookie cookie = cookies[i];
        String cookieName = cookie.getName();
        if (cookieName.equals(CUSTOMER_UUID)) {
          /*
           * If we find the cookie we get the value and update the max age.
           */
          uuid = cookie.getValue();
          cookie.setMaxAge(COOKIE_MAX_AGE_IN_SECS);
          cookie.setPath("/");
          if (kkAppEng.isPortlet()) {
            PortletActionContext.getRenderResponse().addProperty(cookie);
          } else {
            response.addCookie(cookie);
          }
        }
      }
    }

    /*
     * If the browser cookie doesn't exist then we have to create it and store a newly created
     * UUID string
     */
    if (uuid == null) {
      UUID uuidObject = UUID.randomUUID();
      uuid = uuidObject.toString();
      /*
       * Create a browser cookie with the UUID
       */
      Cookie uuidCookie = new Cookie(CUSTOMER_UUID, uuid);
      uuidCookie.setMaxAge(COOKIE_MAX_AGE_IN_SECS);
      uuidCookie.setPath("/");

      // Not available in gwt_dev.jar or early versions of servlet-api.jar
      try {
        // set HTTP Only if we can
        uuidCookie.setHttpOnly(true);
      } catch (java.lang.NoSuchMethodError nsme) {
        // Older servlet jar
      }

      if (kkAppEng.isPortlet()) {
        PortletActionContext.getRenderResponse().addProperty(uuidCookie);
      } else {
        response.addCookie(uuidCookie);
      }
    }

    return uuid;
  }
Example #2
0
  /**
   * Determines whether we are using SSL or not. If we are logged in, then we should be using SSL.
   * SSL can also be forced by setting the forceSSL boolean. If we should be using SSL but aren't
   * (or vice versa) we do a redirect by returning an action forward with the correct URL to
   * redirect to. Otherwise we return null
   *
   * @param request
   * @param custId The customer id
   * @param forceSSL Set to true if we should force SSL.
   * @return ActionForward
   * @throws KKException
   */
  protected String checkSSL(KKAppEng eng, HttpServletRequest request, int custId, boolean forceSSL)
      throws KKException {
    try {
      if (eng == null) {
        throw new KKException("checkSSL called with KKAppEng set to null");
      }

      if (eng.isPortlet()) {
        // Take no action if in a Portlet
        return null;
      }

      String sslPort = eng.getSslPort();
      String standardPort = eng.getStandardPort();
      boolean activateCheck = eng.isEnableSSL();
      String sslBaseUrl = eng.getSslBaseUrl();

      if (activateCheck && request != null) {
        boolean isSSL = false;
        StringBuffer redirectUrl;

        if (request.getRequestURL() == null) {
          throw new KKException(
              "Cannot determine whether SSL is being used because getRequestURL() returns null");
        }

        if (request.getRequestURL().substring(0, 5).equalsIgnoreCase("https")) {
          isSSL = true;
        }

        if (log.isDebugEnabled()) {
          log.debug("getServerName = " + request.getServerName());
          log.debug("getServerPort = " + request.getServerPort());
          log.debug("getServletPath = " + request.getServletPath());
          log.debug("getRequestURI = " + request.getRequestURI());
          log.debug("getRequestURL = " + request.getRequestURL());
          log.debug("isSSL = " + isSSL);
          log.debug("custId = " + custId);
        }

        if (!isSSL && (custId > -1 || forceSSL)) {
          // We aren't using SSL but should be
          redirectUrl = new StringBuffer();
          if (sslBaseUrl != null) {
            redirectUrl.append(sslBaseUrl);
            redirectUrl.append(request.getRequestURI());
          } else {
            redirectUrl.append("https://");
            redirectUrl.append(request.getServerName());
            // Insert the port if it is non standard
            if (sslPort != null && !sslPort.equals("443")) {
              redirectUrl.append(":");
              redirectUrl.append(sslPort);
            }
            redirectUrl.append(request.getRequestURI());
          }

          /*
           * The following is called for security reasons. In some cases (such as when
           * using Tomcat) the session id is appended to the URL in the browser (i.e.
           * jsessionid=E2D1B0B2B8C5478B7F6F3C3C5D9BB0FB). If a hacker managed to get this
           * session id while the customer wasn't logged in, he could use it to access
           * sensitive information once the customer has logged in since the session id
           * doesn't change. The following method creates a new session and substitutes
           * it.
           */
          changeSession(request);
        } else if (isSSL && (custId < 0) && !forceSSL) {
          // We are using SSL but shouldn't be
          redirectUrl = new StringBuffer();
          redirectUrl.append("http://");
          redirectUrl.append(request.getServerName());
          // Insert the port if it is non standard
          if (standardPort != null && !standardPort.equals("80")) {
            redirectUrl.append(":");
            redirectUrl.append(standardPort);
          }
          redirectUrl.append(request.getRequestURI());
        } else {
          // Don't need to do anything
          return null;
        }

        // Get the parameters
        StringBuffer parms = new StringBuffer();
        Enumeration<String> en = request.getParameterNames();
        while (en.hasMoreElements()) {
          String paramName = en.nextElement();
          String paramValue = request.getParameter(paramName);
          if (parms.length() > 0) {
            parms.append("&");
          } else {
            parms.append("?");
          }
          parms.append(paramName);
          parms.append("=");
          parms.append(paramValue);
        }

        // Append the parameters to the redirect url
        redirectUrl.append(parms);
        if (log.isDebugEnabled()) {
          log.debug("redirectUrl = " + redirectUrl);
        }
        return redirectUrl.toString();
      }

      return null;
    } catch (Exception e) {
      log.error(e);
      return null;
    }
  }