/**
* Utility method to get the CustomerUuid from the browser cookie and create the cookie if it
* doesn't exist.
*
* @param request
* @param response
* @param kkAppEng
* @return Returns the CustomerUuid
*/
private String getCustomerUuidFromBrowserCookie(
HttpServletRequest request, HttpServletResponse response, KKAppEng kkAppEng) {
Cookie[] cookies = null;
if (kkAppEng.isPortlet()) {
cookies = PortletActionContext.getRenderRequest().getCookies();
} else {
cookies = request.getCookies();
}
/*
* Try to find the cookie we are looking for
*/
String uuid = null;
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
String cookieName = cookie.getName();
if (cookieName.equals(CUSTOMER_UUID)) {
/*
* If we find the cookie we get the value and update the max age.
*/
uuid = cookie.getValue();
cookie.setMaxAge(COOKIE_MAX_AGE_IN_SECS);
cookie.setPath("/");
if (kkAppEng.isPortlet()) {
PortletActionContext.getRenderResponse().addProperty(cookie);
} else {
response.addCookie(cookie);
}
}
}
}
/*
* If the browser cookie doesn't exist then we have to create it and store a newly created
* UUID string
*/
if (uuid == null) {
UUID uuidObject = UUID.randomUUID();
uuid = uuidObject.toString();
/*
* Create a browser cookie with the UUID
*/
Cookie uuidCookie = new Cookie(CUSTOMER_UUID, uuid);
uuidCookie.setMaxAge(COOKIE_MAX_AGE_IN_SECS);
uuidCookie.setPath("/");
// Not available in gwt_dev.jar or early versions of servlet-api.jar
try {
// set HTTP Only if we can
uuidCookie.setHttpOnly(true);
} catch (java.lang.NoSuchMethodError nsme) {
// Older servlet jar
}
if (kkAppEng.isPortlet()) {
PortletActionContext.getRenderResponse().addProperty(uuidCookie);
} else {
response.addCookie(uuidCookie);
}
}
return uuid;
}
/**
* Determines whether we are using SSL or not. If we are logged in, then we should be using SSL.
* SSL can also be forced by setting the forceSSL boolean. If we should be using SSL but aren't
* (or vice versa) we do a redirect by returning an action forward with the correct URL to
* redirect to. Otherwise we return null
*
* @param request
* @param custId The customer id
* @param forceSSL Set to true if we should force SSL.
* @return ActionForward
* @throws KKException
*/
protected String checkSSL(KKAppEng eng, HttpServletRequest request, int custId, boolean forceSSL)
throws KKException {
try {
if (eng == null) {
throw new KKException("checkSSL called with KKAppEng set to null");
}
if (eng.isPortlet()) {
// Take no action if in a Portlet
return null;
}
String sslPort = eng.getSslPort();
String standardPort = eng.getStandardPort();
boolean activateCheck = eng.isEnableSSL();
String sslBaseUrl = eng.getSslBaseUrl();
if (activateCheck && request != null) {
boolean isSSL = false;
StringBuffer redirectUrl;
if (request.getRequestURL() == null) {
throw new KKException(
"Cannot determine whether SSL is being used because getRequestURL() returns null");
}
if (request.getRequestURL().substring(0, 5).equalsIgnoreCase("https")) {
isSSL = true;
}
if (log.isDebugEnabled()) {
log.debug("getServerName = " + request.getServerName());
log.debug("getServerPort = " + request.getServerPort());
log.debug("getServletPath = " + request.getServletPath());
log.debug("getRequestURI = " + request.getRequestURI());
log.debug("getRequestURL = " + request.getRequestURL());
log.debug("isSSL = " + isSSL);
log.debug("custId = " + custId);
}
if (!isSSL && (custId > -1 || forceSSL)) {
// We aren't using SSL but should be
redirectUrl = new StringBuffer();
if (sslBaseUrl != null) {
redirectUrl.append(sslBaseUrl);
redirectUrl.append(request.getRequestURI());
} else {
redirectUrl.append("https://");
redirectUrl.append(request.getServerName());
// Insert the port if it is non standard
if (sslPort != null && !sslPort.equals("443")) {
redirectUrl.append(":");
redirectUrl.append(sslPort);
}
redirectUrl.append(request.getRequestURI());
}
/*
* The following is called for security reasons. In some cases (such as when
* using Tomcat) the session id is appended to the URL in the browser (i.e.
* jsessionid=E2D1B0B2B8C5478B7F6F3C3C5D9BB0FB). If a hacker managed to get this
* session id while the customer wasn't logged in, he could use it to access
* sensitive information once the customer has logged in since the session id
* doesn't change. The following method creates a new session and substitutes
* it.
*/
changeSession(request);
} else if (isSSL && (custId < 0) && !forceSSL) {
// We are using SSL but shouldn't be
redirectUrl = new StringBuffer();
redirectUrl.append("http://");
redirectUrl.append(request.getServerName());
// Insert the port if it is non standard
if (standardPort != null && !standardPort.equals("80")) {
redirectUrl.append(":");
redirectUrl.append(standardPort);
}
redirectUrl.append(request.getRequestURI());
} else {
// Don't need to do anything
return null;
}
// Get the parameters
StringBuffer parms = new StringBuffer();
Enumeration<String> en = request.getParameterNames();
while (en.hasMoreElements()) {
String paramName = en.nextElement();
String paramValue = request.getParameter(paramName);
if (parms.length() > 0) {
parms.append("&");
} else {
parms.append("?");
}
parms.append(paramName);
parms.append("=");
parms.append(paramValue);
}
// Append the parameters to the redirect url
redirectUrl.append(parms);
if (log.isDebugEnabled()) {
log.debug("redirectUrl = " + redirectUrl);
}
return redirectUrl.toString();
}
return null;
} catch (Exception e) {
log.error(e);
return null;
}
}
