Cherry pick branch 'genexuslabs:fix/secure-jsessionid' into beta

Author: iroqueta

gxspringboot/src/main/java/com/genexus/springboot/GXConfig.java

@@ -4,10 +4,12 @@
 import com.genexus.common.interfaces.SpecificImplementation;
 import com.genexus.diagnostics.core.ILogger;
 import com.genexus.diagnostics.core.LogManager;
+import com.genexus.filters.SessionFilter;
 import com.genexus.servlet.CorsFilter;
 import com.genexus.xml.GXXMLSerializable;
 
 import jakarta.annotation.PreDestroy;
+import jakarta.servlet.DispatcherType;
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.servlet.ServletContainer;
 import org.glassfish.jersey.servlet.ServletProperties;
@@ -92,6 +94,24 @@ public FilterRegistrationBean<UrlRewriteFilter> urlRewriteFilter() {
 		return registrationBean;
 	}
 
+	@Bean
+	public FilterRegistrationBean<SessionFilter> sessionFilter() {
+		FilterRegistrationBean<SessionFilter> registration =
+			new FilterRegistrationBean<>();
+
+		registration.setFilter(new SessionFilter());
+		registration.setName("session-filter");
+		registration.addUrlPatterns("/*");
+		registration.setOrder(Ordered.HIGHEST_PRECEDENCE + 2);
+
+		registration.setDispatcherTypes(
+			DispatcherType.REQUEST,
+			DispatcherType.FORWARD
+		);
+
+		return registration;
+	}
+
 	@Bean
 	public ServletContextInitializer jerseyFilter() {
 		Set<Class<?>> rrcs = JaxrsResourcesHolder.getAll();

java/src/main/java/com/genexus/filters/SecureCookieHttpServletResponseWrapper.java

@@ -18,12 +18,22 @@ public SecureCookieHttpServletResponseWrapper(IHttpServletResponse response, Str
     }
 	@Override
 	public void addCookie(ICookie cookie) {
-		if (!cookie.getSecure() && cookie.getName().toLowerCase()==cookieId){
+		if (!cookie.getSecure() && cookie.getName().toLowerCase().equals(cookieId)){
 			cookie.setSecure(true);
 		}
 		super.addCookie(cookie);
 	}
 
+	@Override
+	public void addHeader(String name, String value) {
+		if (name.equalsIgnoreCase("Set-Cookie") && value.toLowerCase().startsWith(cookieId.toLowerCase() + "=")) {
+			if (!value.toLowerCase().contains("secure")) {
+				value += "; Secure";
+			}
+		}
+		super.addHeader(name, value);
+	}
+
 	public IServletOutputStream getWrapperOutputStream() throws IOException {
     	return response.getOutputStream();
 	}

java/src/main/java/com/genexus/filters/SessionFilter.java

@@ -3,6 +3,7 @@
 import java.util.Arrays;
 import java.util.Map;
 
+import com.genexus.WrapperUtils;
 import com.genexus.servlet.*;
 import com.genexus.servlet.http.*;
 
@@ -19,12 +20,7 @@ public void init(Map<String, String> headers, String path, String sessionCookieN
     public void doFilter(IServletRequest request, IServletResponse response, IFilterChain chain) throws Exception {
         IHttpServletRequest req = request.getHttpServletRequest();
         IHttpServletResponse res = response.getHttpServletResponse();
-		ICookie session=null;
-        ICookie[] allCookies = req.getCookies();
-		if (allCookies != null) {
-			session = Arrays.stream(allCookies).filter(x -> x.getName().equals(JSESSIONID)).findFirst().orElse(null);
-		}
-		if (session!=null && req.isSecure() && !session.getSecure())
+		if (WrapperUtils.isSecureConnection(req))
 		{
 			chain.doFilter(request, new SecureCookieHttpServletResponseWrapper(res, JSESSIONID));
 		}

java/src/main/java/com/genexus/webpanels/HttpContextWeb.java

@@ -1005,9 +1005,8 @@ public String getScriptPath() {
 	}
 
 	public int getHttpSecure() {
-		String protocol = getHeader("X-Forwarded-Proto");
-		if (protocol != null && !protocol.equals("")) {
-			return protocol.equalsIgnoreCase("https") ? 1 : 0;
+		if (WrapperUtils.isSecureConnection(request)) {
+			return 1;
 		}
 		String serverProtocolProperty = ModelContext.getModelContext().getPreferences().getProperty("SERVER_PROTOCOL", "");
 		if (!StringUtils.isBlank(serverProtocolProperty)) {

wrappercommon/src/main/java/com/genexus/WrapperUtils.java

@@ -7,6 +7,7 @@
 import java.util.stream.Collectors;
 
 import com.genexus.opentelemetry.OpenTelemetryHelper;
+import com.genexus.servlet.http.IHttpServletRequest;
 import org.json.JSONException;
 import com.genexus.json.JSONObjectWrapper;
 import org.apache.commons.io.IOUtils;
@@ -56,4 +57,15 @@ public static InputStream storeRestRequestBody(InputStream is) throws IOExceptio
 
 		return IOUtils.toInputStream(body, "UTF-8");
 	}
+
+	public static boolean isSecureConnection(IHttpServletRequest req) {
+		return req.isSecure() ||
+			"https".equalsIgnoreCase(req.getHeader("X-Forwarded-Proto")) ||
+			"on".equalsIgnoreCase(req.getHeader("X-Forwarded-Ssl")) ||
+			"1".equals(req.getHeader("X-Forwarded-Ssl")) ||
+			"true".equalsIgnoreCase(req.getHeader("X-Forwarded-Ssl")) ||
+			"https".equalsIgnoreCase(req.getHeader("X-Forwarded-Scheme")) ||
+			"on".equalsIgnoreCase(req.getHeader("Front-End-Https")) ||
+			"https".equalsIgnoreCase(req.getHeader("X-Url-Scheme"));
+	}
 }