diff options
author | Greg Wilkins | 2012-08-17 13:35:42 +0000 |
---|---|---|
committer | Greg Wilkins | 2012-08-17 13:35:42 +0000 |
commit | 086e74bed8250c3400ee192dc00403a71b6d1525 (patch) | |
tree | 768005ba309fa950f82cef684fc3cd37e483622e /jetty-security/src/main/java | |
parent | 7c94fd5f3c3bdd2c55568dc17bab43ffc69eedf0 (diff) | |
parent | c82871b10f1110b6e30e3aaa485b6955ce6e639c (diff) | |
download | org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.gz org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.xz org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.zip |
jetty-9 merged jetty-8
Merge remote-tracking branch 'origin/jetty-8' into jetty-9
Conflicts:
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java
jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java
jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java
jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarFileResource.java
jetty-util/src/test/java/org/eclipse/jetty/util/log/StdErrLogTest.java
Diffstat (limited to 'jetty-security/src/main/java')
7 files changed, 51 insertions, 29 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 0baeef255b..262b40dcee 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -23,8 +23,11 @@ import java.util.Set; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; import org.eclipse.jetty.security.authentication.DeferredAuthentication; +import org.eclipse.jetty.server.AbstractHttpConnection; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Request; @@ -33,6 +36,7 @@ import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler.Context; import org.eclipse.jetty.server.handler.HandlerWrapper; +import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.component.LifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -285,6 +289,32 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti getInitParameter(name)==null) setInitParameter(name,context.getInitParameter(name)); } + + //register a session listener to handle securing sessions when authentication is performed + context.getContextHandler().addEventListener(new HttpSessionListener() + { + + public void sessionDestroyed(HttpSessionEvent se) + { + + } + + public void sessionCreated(HttpSessionEvent se) + { + //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user + AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection(); + if (connection == null) + return; + Request request = connection.getRequest(); + if (request == null) + return; + + if (request.isSecure()) + { + se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + } + } + }); } // complicated resolution of login and identity service to handle diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index dec0ee78d1..81dfcb4360 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -83,7 +83,7 @@ public class BasicAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,password); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java index 2522037550..67eba6034b 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java @@ -119,7 +119,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,credential); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index 505831963b..73cfc100a2 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -183,7 +183,7 @@ public class DigestAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(digest.username,digest); if (user!=null) { - renewSessionOnAuthentication(request,response); + renewSession(request,response); return new UserAuthentication(getAuthMethod(),user); } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 26196b7119..ab182b9bc5 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -189,8 +189,8 @@ public class FormAuthenticator extends LoginAuthenticator if (!mandatory) return _deferred; - if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo()))) - return Authentication.NOT_CHECKED; + if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())) &&!DeferredAuthentication.isDeferred(response)) + return _deferred; HttpSession session = request.getSession(true); @@ -205,7 +205,7 @@ public class FormAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,password); if (user!=null) { - session=renewSessionOnAuthentication(request,response); + session=renewSession(request,response); // Redirect to original request String nuri; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index c730a9bab5..8bed85f9b3 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -13,10 +13,6 @@ package org.eclipse.jetty.security.authentication; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -24,10 +20,10 @@ import javax.servlet.http.HttpSession; import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; +import org.eclipse.jetty.server.session.AbstractSessionManager; public abstract class LoginAuthenticator implements Authenticator { - public final static String SESSION_SECURED="org.eclipse.jetty.security.secured"; protected final DeferredAuthentication _deferred=new DeferredAuthentication(this); protected LoginService _loginService; protected IdentityService _identityService; @@ -53,34 +49,29 @@ public abstract class LoginAuthenticator implements Authenticator return _loginService; } - /* ------------------------------------------------------------ */ - /** Change the session when the request is authenticated for the first time + /** Change the session id. + * The session is changed to a new instance with a new ID if and only if:<ul> + * <li>A session exists. + * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true. + * <li>The session ID has been given to unauthenticated responses + * </ul> * @param request * @param response * @return The new session. */ - protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response) + protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response) { HttpSession httpSession = request.getSession(false); - if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null) + + //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users + //(indicated by SESSION_SECURED not being set on the session) then we should change id + if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) { synchronized (this) { - Map<String,Object> attributes = new HashMap<String, Object>(); - for (Enumeration<String> e=httpSession.getAttributeNames();e.hasMoreElements();) - { - String name=e.nextElement(); - attributes.put(name,httpSession.getAttribute(name)); - httpSession.removeAttribute(name); - } - httpSession.invalidate(); - httpSession = request.getSession(true); - httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE); - for (Map.Entry<String, Object> entry: attributes.entrySet()) - httpSession.setAttribute(entry.getKey(),entry.getValue()); + httpSession = AbstractSessionManager.renewSession(request, httpSession,true); } } - return httpSession; } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index e63e597cca..368c1d6193 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -29,6 +29,7 @@ import org.eclipse.jetty.security.SecurityHandler; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.UserIdentity.Scope; +import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -102,7 +103,7 @@ public class SessionAuthentication implements Authentication.User, Serializable, if (security!=null) security.logout(this); if (_session!=null) - _session.removeAttribute(LoginAuthenticator.SESSION_SECURED); + _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); } @Override |