jetty-9 merged jetty-8

Merge remote-tracking branch 'origin/jetty-8' into jetty-9 Conflicts: jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarFileResource.java jetty-util/src/test/java/org/eclipse/jetty/util/log/StdErrLogTest.java
author: Greg Wilkins 2012-08-17 13:35:42 +0000
committer: Greg Wilkins 2012-08-17 13:35:42 +0000
commit: 086e74bed8250c3400ee192dc00403a71b6d1525 (patch)
tree: 768005ba309fa950f82cef684fc3cd37e483622e /jetty-security/src/main/java
parent: 7c94fd5f3c3bdd2c55568dc17bab43ffc69eedf0 (diff)
parent: c82871b10f1110b6e30e3aaa485b6955ce6e639c (diff)
download: org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.gz
org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.xz
org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.zip
7 files changed, 51 insertions, 29 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 0baeef255b..262b40dcee 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -23,8 +23,11 @@ import java.util.Set;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
 
 import org.eclipse.jetty.security.authentication.DeferredAuthentication;
+import org.eclipse.jetty.server.AbstractHttpConnection;
 import org.eclipse.jetty.server.Authentication;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Request;
@@ -33,6 +36,7 @@ import org.eclipse.jetty.server.UserIdentity;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.server.handler.ContextHandler.Context;
 import org.eclipse.jetty.server.handler.HandlerWrapper;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
 import org.eclipse.jetty.util.component.LifeCycle;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
@@ -285,6 +289,32 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
                         getInitParameter(name)==null)
                     setInitParameter(name,context.getInitParameter(name));
             }
+            
+            //register a session listener to handle securing sessions when authentication is performed
+            context.getContextHandler().addEventListener(new HttpSessionListener()
+            {
+                
+                public void sessionDestroyed(HttpSessionEvent se)
+                {
+                   
+                }
+                
+                public void sessionCreated(HttpSessionEvent se)
+                {
+                    //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user
+                    AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
+                    if (connection == null)
+                        return;
+                    Request request = connection.getRequest();
+                    if (request == null)
+                        return;
+                    
+                    if (request.isSecure())
+                    {
+                        se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+                    }
+                }
+            });
         }
 
         // complicated resolution of login and identity service to handle
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
index dec0ee78d1..81dfcb4360 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
@@ -83,7 +83,7 @@ public class BasicAuthenticator extends LoginAuthenticator
                             UserIdentity user = _loginService.login(username,password);
                             if (user!=null)
                             {
-                                renewSessionOnAuthentication(request,response);
+                                renewSession(request,response);
                                 return new UserAuthentication(getAuthMethod(),user);
                             }
                         }
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
index 2522037550..67eba6034b 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
@@ -119,7 +119,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
                     UserIdentity user = _loginService.login(username,credential);
                     if (user!=null)
                     {
-                        renewSessionOnAuthentication(request,response);
+                        renewSession(request,response);
                         return new UserAuthentication(getAuthMethod(),user);
                     }
                 }
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
index 505831963b..73cfc100a2 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
@@ -183,7 +183,7 @@ public class DigestAuthenticator extends LoginAuthenticator
                     UserIdentity user = _loginService.login(digest.username,digest);
                     if (user!=null)
                     {
-                        renewSessionOnAuthentication(request,response);
+                        renewSession(request,response);
                         return new UserAuthentication(getAuthMethod(),user);
                     }
                 }
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index 26196b7119..ab182b9bc5 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -189,8 +189,8 @@ public class FormAuthenticator extends LoginAuthenticator
         if (!mandatory)
             return _deferred;
 
-        if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
-            return Authentication.NOT_CHECKED;
+        if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())) &&!DeferredAuthentication.isDeferred(response))
+            return _deferred;
 
         HttpSession session = request.getSession(true);
 
@@ -205,7 +205,7 @@ public class FormAuthenticator extends LoginAuthenticator
                 UserIdentity user = _loginService.login(username,password);
                 if (user!=null)
                 {
-                    session=renewSessionOnAuthentication(request,response);
+                    session=renewSession(request,response);
 
                     // Redirect to original request
                     String nuri;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
index c730a9bab5..8bed85f9b3 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -13,10 +13,6 @@
 
 package org.eclipse.jetty.security.authentication;
 
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@@ -24,10 +20,10 @@ import javax.servlet.http.HttpSession;
 import org.eclipse.jetty.security.Authenticator;
 import org.eclipse.jetty.security.IdentityService;
 import org.eclipse.jetty.security.LoginService;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
 
 public abstract class LoginAuthenticator implements Authenticator
 {
-    public final static String SESSION_SECURED="org.eclipse.jetty.security.secured";
     protected final DeferredAuthentication _deferred=new DeferredAuthentication(this);
     protected LoginService _loginService;
     protected IdentityService _identityService;
@@ -53,34 +49,29 @@ public abstract class LoginAuthenticator implements Authenticator
         return _loginService;
     }
     
-    /* ------------------------------------------------------------ */
-    /** Change the session when the request is authenticated for the first time
+    /** Change the session id.
+     * The session is changed to a new instance with a new ID if and only if:<ul>
+     * <li>A session exists.
+     * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
+     * <li>The session ID has been given to unauthenticated responses
+     * </ul>
      * @param request
      * @param response
      * @return The new session.
      */
-    protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response)
+    protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
     {
         HttpSession httpSession = request.getSession(false);
-        if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null)
+       
+        //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
+        //(indicated by SESSION_SECURED not being set on the session) then we should change id
+        if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
         {
             synchronized (this)
             {
-                Map<String,Object> attributes = new HashMap<String, Object>();
-                for (Enumeration<String> e=httpSession.getAttributeNames();e.hasMoreElements();)
-                {
-                    String name=e.nextElement();
-                    attributes.put(name,httpSession.getAttribute(name));
-                    httpSession.removeAttribute(name);
-                }
-                httpSession.invalidate();
-                httpSession = request.getSession(true);
-                httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE);
-                for (Map.Entry<String, Object> entry: attributes.entrySet())
-                    httpSession.setAttribute(entry.getKey(),entry.getValue());
+                httpSession = AbstractSessionManager.renewSession(request, httpSession,true);
             }
         }
-        
         return httpSession;
     }
 }
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
index e63e597cca..368c1d6193 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@@ -29,6 +29,7 @@ import org.eclipse.jetty.security.SecurityHandler;
 import org.eclipse.jetty.server.Authentication;
 import org.eclipse.jetty.server.UserIdentity;
 import org.eclipse.jetty.server.UserIdentity.Scope;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
 
@@ -102,7 +103,7 @@ public class SessionAuthentication implements Authentication.User, Serializable,
         if (security!=null)
             security.logout(this);
         if (_session!=null)
-            _session.removeAttribute(LoginAuthenticator.SESSION_SECURED);
+            _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
     }
         
     @Override
author	Greg Wilkins	2012-08-17 13:35:42 +0000
committer	Greg Wilkins	2012-08-17 13:35:42 +0000
commit	086e74bed8250c3400ee192dc00403a71b6d1525 (patch)
tree	768005ba309fa950f82cef684fc3cd37e483622e /jetty-security/src/main/java
parent	7c94fd5f3c3bdd2c55568dc17bab43ffc69eedf0 (diff)
parent	c82871b10f1110b6e30e3aaa485b6955ce6e639c (diff)
download	org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.gz org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.xz org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.zip