From df2addef6447f001feb90cbcb8e8d8b70848623a Mon Sep 17 00:00:00 2001
From: xinyuan-zhang <xinyuan.zhang@oracle.com>
Date: Thu, 15 Jun 2017 15:45:28 +0800
Subject: [PATCH] [port 2.2.8] JAVASERVERFACES-3531 didn't correct all uses of
 getExternalContext().isSecure()
 https://github.com/javaserverfaces/mojarra/issues/4104

modified:   jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
---
 .../com/sun/faces/context/flash/ELFlash.java  | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java b/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
index 9300075d7a..f6471dba40 100644
--- a/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
+++ b/jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
@@ -74,6 +74,7 @@
 import javax.faces.event.PostPutFlashValueEvent;
 import javax.faces.event.PreClearFlashEvent;
 import javax.faces.event.PreRemoveFlashValueEvent;
+import javax.servlet.ServletRequest;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
@@ -1042,6 +1043,7 @@ private void setCookie(FacesContext context,
             return;
         }
 
+        boolean isSecure = isSecure(extContext);
         // Don't try to write the cookie unless there is data in the flash.
         if (forceWrite || (null != nextFlash && !nextFlash.getFlashMap().isEmpty()) ||
             (null != prevFlash && !prevFlash.getFlashMap().isEmpty())) {
@@ -1063,7 +1065,7 @@ private void setCookie(FacesContext context,
                 if (null != (val = toSet.getMaxAge())) {
                     properties.put("maxAge", val);
                 }
-                if (extContext.isSecure()) {
+                if (isSecure) {
                     properties.put("secure", Boolean.TRUE);
                 } else if (null != (val = toSet.getSecure())) {
                     properties.put("secure", val);
@@ -1081,6 +1083,27 @@ private void setCookie(FacesContext context,
             removeCookie(extContext, toSet);
         }
     }
+
+    private boolean isSecure(ExternalContext extContext) {
+        // Bug 18611757: only use extContext.isSecure() if we
+        // absolutely must.  For example, if we are in a portlet
+        // environment.
+        boolean isSecure = false;
+        Object request = extContext.getRequest();
+        if (request instanceof ServletRequest) {
+            isSecure = ((ServletRequest)request).isSecure();
+        } else {
+            try {
+                isSecure = extContext.isSecure();
+            } catch (UnsupportedOperationException uoe) {
+                if (LOGGER.isLoggable(Level.SEVERE)) {
+                    LOGGER.log(Level.SEVERE, "ExternalContext {0} does not implement isSecure().  Please implement this per the JSF 2.1 specification.",
+                            new Object [] { extContext });
+                }
+            }
+        }
+        return isSecure;
+    }
     
     private void removeCookie(ExternalContext extContext, Cookie toRemove) {
         if (extContext.isResponseCommitted()) {