Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/sun/net/www/protocol/http/HttpOnly.java
38867 views
/*1* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/22/**23* @test24* @bug 7095980 800731525* @summary Ensure HttpURLConnection (and supporting APIs) don't expose26* HttpOnly cookies27*/2829import java.io.IOException;30import java.net.CookieHandler;31import java.net.CookieManager;32import java.net.CookiePolicy;33import java.net.InetAddress;34import java.net.InetSocketAddress;35import java.net.URI;36import java.net.HttpURLConnection;37import java.util.ArrayList;38import java.util.HashMap;39import java.util.List;40import java.util.Map;41import java.util.Set;42import com.sun.net.httpserver.Headers;43import com.sun.net.httpserver.HttpExchange;44import com.sun.net.httpserver.HttpHandler;45import com.sun.net.httpserver.HttpServer;4647/*48* 1) start the HTTP server49* 2) populate cookie store with HttpOnly cookies50* 3) make HTTP request that should contain HttpOnly cookies51* 4) check HttpOnly cookies received by server52* 5) server reply with Set-Cookie containing HttpOnly cookie53* 6) check HttpOnly cookies are not accessible from Http client54* 7) check that non-null (empty string) values are returned for55scenario where all values are stripped from original key values56*/5758public class HttpOnly {5960static final String URI_PATH = "/xxyyzz/";61static final int SESSION_ID = 12345;6263void test(String[] args) throws Exception {64HttpServer server = startHttpServer();65CookieHandler previousHandler = CookieHandler.getDefault();66try {67InetSocketAddress address = server.getAddress();68URI uri = new URI("http://" + InetAddress.getLocalHost().getHostAddress()69+ ":" + address.getPort() + URI_PATH);70populateCookieStore(uri);71doClient(uri);72} finally {73CookieHandler.setDefault(previousHandler);74server.stop(0);75}76}7778void populateCookieStore(URI uri)79throws IOException {8081CookieManager cm = new CookieManager(null, CookiePolicy.ACCEPT_ALL);82CookieHandler.setDefault(cm);83Map<String,List<String>> header = new HashMap<>();84List<String> values = new ArrayList<>();85values.add("JSESSIONID=" + SESSION_ID + "; version=1; Path="86+ URI_PATH +"; HttpOnly");87values.add("CUSTOMER=WILE_E_COYOTE; version=1; Path=" + URI_PATH);88header.put("Set-Cookie", values);89cm.put(uri, header);90}9192void doClient(URI uri) throws Exception {93HttpURLConnection uc = (HttpURLConnection) uri.toURL().openConnection();94int resp = uc.getResponseCode();95check(resp == 200,96"Unexpected response code. Expected 200, got " + resp);9798// TEST 1: check getRequestProperty doesn't return the HttpOnly cookie99// In fact, that it doesn't return any automatically set cookies.100String cookie = uc.getRequestProperty("Cookie");101check(cookie == null,102"Cookie header returned from getRequestProperty, value " + cookie);103104// TEST 2: check getRequestProperties doesn't return the HttpOnly cookie.105// In fact, that it doesn't return any automatically set cookies.106Map<String,List<String>> reqHeaders = uc.getRequestProperties();107Set<Map.Entry<String,List<String>>> entries = reqHeaders.entrySet();108for (Map.Entry<String,List<String>> entry : entries) {109String header = entry.getKey();110check(!"Cookie".equalsIgnoreCase(header),111"Cookie header returned from getRequestProperties, value " +112entry.getValue());113}114115// TEST 3: check getHeaderField doesn't return Set-Cookie with HttpOnly116String setCookie = uc.getHeaderField("Set-Cookie");117if (setCookie != null) {118debug("Set-Cookie:" + setCookie);119check(!setCookie.toLowerCase().contains("httponly"),120"getHeaderField returned Set-Cookie header with HttpOnly, " +121"value = " + setCookie);122}123124// TEST 3.5: check getHeaderField doesn't return Set-Cookie2 with HttpOnly125String setCookie2 = uc.getHeaderField("Set-Cookie2");126if (setCookie2 != null) {127debug("Set-Cookie2:" + setCookie2);128check(!setCookie2.toLowerCase().contains("httponly"),129"getHeaderField returned Set-Cookie2 header with HttpOnly, " +130"value = " + setCookie2);131}132133// TEST 4: check getHeaderFields doesn't return Set-Cookie134// or Set-Cookie2 headers with HttpOnly135Map<String,List<String>> respHeaders = uc.getHeaderFields();136Set<Map.Entry<String,List<String>>> respEntries = respHeaders.entrySet();137for (Map.Entry<String,List<String>> entry : respEntries) {138String header = entry.getKey();139if ("Set-Cookie".equalsIgnoreCase(header)) {140List<String> setCookieValues = entry.getValue();141debug("Set-Cookie:" + setCookieValues);142for (String value : setCookieValues)143check(!value.toLowerCase().contains("httponly"),144"getHeaderFields returned Set-Cookie header with HttpOnly, "145+ "value = " + value);146}147if ("Set-Cookie2".equalsIgnoreCase(header)) {148List<String> setCookieValues = entry.getValue();149debug("Set-Cookie2:" + setCookieValues);150for (String value : setCookieValues)151check(!value.toLowerCase().contains("httponly"),152"getHeaderFields returned Set-Cookie2 header with HttpOnly, "153+ "value = " + value);154}155}156157// Now add some user set cookies into the mix.158uc = (HttpURLConnection) uri.toURL().openConnection();159uc.addRequestProperty("Cookie", "CUSTOMER_ID=CHEGAR;");160resp = uc.getResponseCode();161check(resp == 200,162"Unexpected response code. Expected 200, got " + resp);163164// TEST 5: check getRequestProperty doesn't return the HttpOnly cookie165cookie = uc.getRequestProperty("Cookie");166check(!cookie.toLowerCase().contains("httponly"),167"HttpOnly cookie returned from getRequestProperty, value " + cookie);168169// TEST 6: check getRequestProperties doesn't return the HttpOnly cookie.170reqHeaders = uc.getRequestProperties();171entries = reqHeaders.entrySet();172for (Map.Entry<String,List<String>> entry : entries) {173String header = entry.getKey();174if ("Cookie".equalsIgnoreCase(header)) {175for (String val : entry.getValue())176check(!val.toLowerCase().contains("httponly"),177"HttpOnly cookie returned from getRequestProperties," +178" value " + val);179}180}181182// TEST 7 : check that header keys containing empty key values don't return null183int i = 1;184String key = "";185String value = "";186187while (true) {188key = uc.getHeaderFieldKey(i);189value = uc.getHeaderField(i++);190if (key == null && value == null)191break;192193if (key != null)194check(value != null,195"Encountered a null value for key value : " + key);196}197198// TEST 7.5 similar test but use getHeaderFields199respHeaders = uc.getHeaderFields();200respEntries = respHeaders.entrySet();201for (Map.Entry<String,List<String>> entry : respEntries) {202String header = entry.getKey();203if (header != null) {204List<String> listValues = entry.getValue();205for (String value1 : listValues)206check(value1 != null,207"getHeaderFields returned null values for header:, "208+ header);209}210}211}212213// HTTP Server214HttpServer startHttpServer() throws IOException {215HttpServer httpServer = HttpServer.create(new InetSocketAddress(0), 0);216httpServer.createContext(URI_PATH, new SimpleHandler());217httpServer.start();218return httpServer;219}220221class SimpleHandler implements HttpHandler {222@Override223public void handle(HttpExchange t) throws IOException {224Headers reqHeaders = t.getRequestHeaders();225226// some small sanity check227List<String> cookies = reqHeaders.get("Cookie");228for (String cookie : cookies) {229if (!cookie.contains("JSESSIONID")230|| !cookie.contains("WILE_E_COYOTE"))231t.sendResponseHeaders(400, -1);232}233234// return some cookies so we can check getHeaderField(s)235Headers respHeaders = t.getResponseHeaders();236List<String> values = new ArrayList<>();237values.add("ID=JOEBLOGGS; version=1; Path=" + URI_PATH);238values.add("NEW_JSESSIONID=" + (SESSION_ID+1) + "; version=1; Path="239+ URI_PATH +"; HttpOnly");240values.add("NEW_CUSTOMER=WILE_E_COYOTE2; version=1; Path=" + URI_PATH);241respHeaders.put("Set-Cookie", values);242values = new ArrayList<>();243values.add("COOKIE2_CUSTOMER=WILE_E_COYOTE2; version=1; Path="244+ URI_PATH);245respHeaders.put("Set-Cookie2", values);246values.add("COOKIE2_JSESSIONID=" + (SESSION_ID+100)247+ "; version=1; Path=" + URI_PATH +"; HttpOnly");248respHeaders.put("Set-Cookie2", values);249250t.sendResponseHeaders(200, -1);251t.close();252}253}254255volatile int passed = 0, failed = 0;256boolean debug = false;257void pass() {passed++;}258void fail() {failed++;}259void fail(String msg) {System.err.println(msg); fail();}260void unexpected(Throwable t) {failed++; t.printStackTrace();}261void debug(String message) { if (debug) System.out.println(message); }262void check(boolean cond, String failMessage) {if (cond) pass(); else fail(failMessage);}263public static void main(String[] args) throws Throwable {264Class<?> k = new Object(){}.getClass().getEnclosingClass();265try {k.getMethod("instanceMain",String[].class)266.invoke( k.newInstance(), (Object) args);}267catch (Throwable e) {throw e.getCause();}}268public void instanceMain(String[] args) throws Throwable {269try {test(args);} catch (Throwable t) {unexpected(t);}270System.out.printf("%nPassed = %d, failed = %d%n%n", passed, failed);271if (failed > 0) throw new AssertionError("Some tests failed");}272}273274275276