List of usage examples for org.apache.http.cookie SetCookie isExpired
boolean isExpired(final Date date);
From source file:org.sonatype.nexus.testsuite.security.SimpleSessionCookieIT.java
/** * Validate Nexus Cookies during Sign-in and Sign-out *///from w w w. j a va 2 s . c o m private void exerciseCookieSpec(final URL baseUrl) throws Exception { // handle cookies like a browser to aid validation final CookieSpec spec = new DefaultCookieSpecProvider().create(null); final CookieOrigin cookieOrigin = cookieOrigin(baseUrl); final CookieStore cookieStore = new BasicCookieStore(); final CredentialsProvider credProvider = credentialsProvider(); SetCookie loginCookie; try (CloseableHttpClient client = clientBuilder().setDefaultCookieStore(cookieStore) .setDefaultCredentialsProvider(credProvider).build()) { // 1. login with credentials and get session cookie // Set-Cookie: NXSESSIONID=98a766bc-bc33-4b3c-9d9f-d3bb85b0cf00; Path=/; Secure; HttpOnly HttpPost loginRequest = new HttpPost(resolveUrl(baseUrl, SESSION_PATH).toURI()); List<NameValuePair> params = new ArrayList<>(); params.add(new BasicNameValuePair("username", Strings2.encodeBase64(credentials().getUserPrincipal().getName()))); params.add(new BasicNameValuePair("password", Strings2.encodeBase64(credentials().getPassword()))); loginRequest.setEntity(new UrlEncodedFormEntity(params)); withCommonBrowserHeaders(loginRequest); try (CloseableHttpResponse response = client.execute(loginRequest, clientContext())) { assertThat(response.getStatusLine().getStatusCode(), is(200)); assertThat("login cookie should have been stored in the cookie store", cookieStore.getCookies(), hasSize(1)); assertThat("expected session cookie in cookie store", getSessionCookie(cookieStore), notNullValue()); Header[] setCookieHeaders = response.getHeaders(SET_COOKIE); Header sessionCookieHeader = getSessionCookieHeader(setCookieHeaders); List<Cookie> sessionCookies = spec.parse(sessionCookieHeader, cookieOrigin); loginCookie = (SetCookie) sessionCookies.get(0); String headerText = sessionCookieHeader.toString(); assertCommonSessionCookieAttributes(baseUrl, loginCookie, headerText); assertThat(String.format("expecting one cookie parsed from session %s header", SET_COOKIE), sessionCookies, hasSize(1)); assertThat(String.format( "expecting 2 %s headers for login, one session cookie, one remember me, but got %s", SET_COOKIE, setCookieHeaders), setCookieHeaders, arrayWithSize(2)); assertThat("login cookie should NOT look like deleteMe cookie", loginCookie.getValue(), not(containsString("deleteMe"))); assertThat( "login cookie should not have an expiry date - the UA deletes the session cookie when " + "replaced by a new one by same name from the server OR when the UA decides", loginCookie.isPersistent(), is(false)); assertThat("login session cookie with valid session id should always be marked HttpOnly", headerText, containsString("; HttpOnly")); } HttpClientContext logoutContext = HttpClientContext.create(); logoutContext.setCookieStore(cookieStore); HttpDelete logoutRequest = new HttpDelete(resolveUrl(baseUrl, SESSION_PATH).toURI()); withCommonBrowserHeaders(logoutRequest); // 2. Logout, sending valid session cookie, no credentials // Set-Cookie: NXSESSIONID=deleteMe; Path=/; Max-Age=0; Expires=Sun, 28-Dec-2014 15:59:11 GMT try (CloseableHttpResponse response = client.execute(logoutRequest, logoutContext)) { assertThat(response.getStatusLine().getStatusCode(), is(200)); // can't use client CookieStore to examine logout cookie, because the Expires header will prevent it from being // added but we can implicitly confirm it expired the existing cookie according to our client assertThat("logout cookie should have emptied the cookie store due to expiry date", cookieStore.getCookies(), hasSize(0)); Header[] setCookieHeaders = response.getHeaders(SET_COOKIE); Header sessionCookieHeader = getSessionCookieHeader(setCookieHeaders); List<Cookie> sessionCookies = spec.parse(sessionCookieHeader, cookieOrigin); SetCookie logoutCookie = (SetCookie) sessionCookies.get(0); final String headerText = sessionCookieHeader.toString(); assertCommonSessionCookieAttributes(baseUrl, logoutCookie, headerText); assertThat("expecting one cookie in same Set-Cookie header", sessionCookies, hasSize(1)); assertThat(String.format( "expecting 2 %s headers for logout, one session cookie delete cookie, one remember me delete cookie, but got %s", SET_COOKIE, setCookieHeaders), setCookieHeaders, arrayWithSize(2)); assertThat("logout session cookie value should be dummy value", logoutCookie.getValue(), equalTo("deleteMe")); assertThat("logout session cookie should be expired to tell browser to delete it", logoutCookie.isExpired(new Date()), is(true)); assertThat( "technically the presence of an expiry date means the cookie is persistent, but expiry will override", logoutCookie.isPersistent(), is(true)); assertThat( "logout cookie does not have a real session id value, therefore it does not need to be HttpOnly", headerText, not(containsString("; HttpOnly"))); } // 3. Access a protected resource again using our original login cookie, no credentials, to verify session is dead HttpGet loginFailedGet = new HttpGet(resolveUrl(baseUrl, PROTECTED_PATH).toURI()); cookieStore.addCookie(loginCookie); try (CloseableHttpResponse response = client.execute(loginFailedGet, HttpClientContext.create())) { assertThat("expected dead login session cookie to not authenticate", response.getStatusLine().getStatusCode(), is(401)); Header[] setCookieHeaders = response.getHeaders(SET_COOKIE); assertThat("expecting no session cookie since login was unsuccessful", getSessionCookieHeader(setCookieHeaders), nullValue()); assertThat("expecting no cookies since login was unsuccessful", setCookieHeaders, arrayWithSize(0)); } } }