[port 2.2.8] JAVASERVERFACES-3531 didn't correct all uses of getExter…

…nalContext().isSecure() https://github.com/javaserverfaces/mojarra/issues/4104 modified: jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
javaee · Jun 15, 2017 · df2adde · df2adde
1 parent e8bd403
commit df2adde
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java b/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
@@ -74,6 +74,7 @@
 import javax.faces.event.PostPutFlashValueEvent;
 import javax.faces.event.PreClearFlashEvent;
 import javax.faces.event.PreRemoveFlashValueEvent;
+import javax.servlet.ServletRequest;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
@@ -1042,6 +1043,7 @@ private void setCookie(FacesContext context,
             return;
         }
 
+        boolean isSecure = isSecure(extContext);
         // Don't try to write the cookie unless there is data in the flash.
         if (forceWrite || (null != nextFlash && !nextFlash.getFlashMap().isEmpty()) ||
             (null != prevFlash && !prevFlash.getFlashMap().isEmpty())) {
@@ -1063,7 +1065,7 @@ private void setCookie(FacesContext context,
                 if (null != (val = toSet.getMaxAge())) {
                     properties.put("maxAge", val);
                 }
-                if (extContext.isSecure()) {
+                if (isSecure) {
                     properties.put("secure", Boolean.TRUE);
                 } else if (null != (val = toSet.getSecure())) {
                     properties.put("secure", val);
@@ -1081,6 +1083,27 @@ private void setCookie(FacesContext context,
             removeCookie(extContext, toSet);
         }
     }
+
+    private boolean isSecure(ExternalContext extContext) {
+        // Bug 18611757: only use extContext.isSecure() if we
+        // absolutely must.  For example, if we are in a portlet
+        // environment.
+        boolean isSecure = false;
+        Object request = extContext.getRequest();
+        if (request instanceof ServletRequest) {
+            isSecure = ((ServletRequest)request).isSecure();
+        } else {
+            try {
+                isSecure = extContext.isSecure();
+            } catch (UnsupportedOperationException uoe) {
+                if (LOGGER.isLoggable(Level.SEVERE)) {
+                    LOGGER.log(Level.SEVERE, "ExternalContext {0} does not implement isSecure().  Please implement this per the JSF 2.1 specification.",
+                            new Object [] { extContext });
+                }
+            }
+        }
+        return isSecure;
+    }
 
     private void removeCookie(ExternalContext extContext, Cookie toRemove) {
         if (extContext.isResponseCommitted()) {