enh(jakarta-ee): add optional URL session tracking configuration parameters

lprimak · lprimak · commit dc0723e2ac8e · 2025-10-02T18:37:43.000-05:00
diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java
@@ -19,8 +19,7 @@
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
 
-import static javax.servlet.SessionTrackingMode.COOKIE;
-
+import javax.servlet.SessionTrackingMode;
 import javax.servlet.annotation.WebListener;
 
 import org.apache.shiro.web.env.EnvironmentLoader;
@@ -34,6 +33,9 @@
 public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {
     private static final String SHIRO_EE_DISABLED_PARAM = "org.apache.shiro.ee.disabled";
     private static final String SHIRO_EE_REDIRECT_DISABLED_PARAM = "org.apache.shiro.ee.redirect.disabled";
+    private static final String SHIRO_EE_ENABLE_URL_SESSION_TRACKING_PARAM = "org.apache.shiro.ee.enable-url-session-tracking";
+    private static final String SHIRO_EE_SESSION_TRACKING_CONFIGURATION_DISABLED_PARAM =
+            "org.apache.shiro.ee.session-tracking-configuration.disabled";
     private static final String FORM_RESUBMIT_DISABLED_PARAM = "org.apache.shiro.form-resubmit.disabled";
     private static final String FORM_RESUBMIT_SECURE_COOKIES = "org.apache.shiro.form-resubmit.secure-cookies";
     private static final String SHIRO_WEB_DISABLE_PRINCIPAL_PARAM = "org.apache.shiro.web.disable-principal";
@@ -80,7 +82,18 @@ public void contextInitialized(ServletContextEvent sce) {
             sce.getServletContext().setAttribute(SHIRO_WEB_DISABLE_PRINCIPAL_PARAM, Boolean.TRUE);
         }
         if (!isShiroEEDisabled(sce.getServletContext())) {
-            sce.getServletContext().setSessionTrackingModes(Set.of(COOKIE));
+            if (!Boolean.parseBoolean(sce.getServletContext()
+                    .getInitParameter(SHIRO_EE_SESSION_TRACKING_CONFIGURATION_DISABLED_PARAM))) {
+                Set<SessionTrackingMode> effectiveModes = sce.getServletContext().getEffectiveSessionTrackingModes();
+                if(Boolean.parseBoolean(sce.getServletContext()
+                        .getInitParameter(SHIRO_EE_ENABLE_URL_SESSION_TRACKING_PARAM))) {
+                    effectiveModes.add(SessionTrackingMode.URL);
+                } else {
+                    effectiveModes.remove(SessionTrackingMode.URL);
+                }
+                sce.getServletContext().setSessionTrackingModes(effectiveModes);
+            }
+
             initEnvironment(sce.getServletContext());
         }
     }
