diff options
author | Jan Bartel | 2012-10-27 07:44:35 +0000 |
---|---|---|
committer | Jan Bartel | 2012-10-27 07:44:35 +0000 |
commit | b8d6b4da8b8b6d6a5724e018dcd72ecd2ce41e5a (patch) | |
tree | 3f02c1da0bf961da8b57caa1d17ed3550a5c3623 /jetty-security/src/main | |
parent | 605b0360e18b4b99341a207a22f8b547989af8ae (diff) | |
download | org.eclipse.jetty.project-b8d6b4da8b8b6d6a5724e018dcd72ecd2ce41e5a.tar.gz org.eclipse.jetty.project-b8d6b4da8b8b6d6a5724e018dcd72ecd2ce41e5a.tar.xz org.eclipse.jetty.project-b8d6b4da8b8b6d6a5724e018dcd72ecd2ce41e5a.zip |
Making session tests work; incorporating renewing session id keeping old object.
Diffstat (limited to 'jetty-security/src/main')
3 files changed, 24 insertions, 12 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 34a5246f9c..6be460e0b8 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -23,9 +23,9 @@ import java.security.Principal; import java.util.Collection; import java.util.Enumeration; import java.util.HashMap; -import java.util.List; import java.util.Map; import java.util.Set; + import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -42,8 +42,7 @@ import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler.Context; import org.eclipse.jetty.server.handler.HandlerWrapper; -import org.eclipse.jetty.server.session.AbstractSessionManager; -import org.eclipse.jetty.util.component.LifeCycle; +import org.eclipse.jetty.server.session.AbstractSession; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -329,7 +328,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti if (request.isSecure()) { - se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + se.getSession().setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); } } }); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 47a079967d..7b0782eff8 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -26,9 +26,10 @@ import javax.servlet.http.HttpSession; import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; -import org.eclipse.jetty.server.Authentication; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; import org.eclipse.jetty.server.UserIdentity; -import org.eclipse.jetty.server.session.AbstractSessionManager; +import org.eclipse.jetty.server.session.AbstractSession; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -51,7 +52,7 @@ public abstract class LoginAuthenticator implements Authenticator UserIdentity user = _loginService.login(username,password); if (user!=null) { - renewSession((HttpServletRequest)request, null); + renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null)); return user; } return null; @@ -95,11 +96,22 @@ public abstract class LoginAuthenticator implements Authenticator { //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users //(indicated by SESSION_SECURED not being set on the session) then we should change id - if (httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) + if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) { - HttpSession newSession = AbstractSessionManager.renewSession(request, httpSession,true); - LOG.debug("renew {}->{}",httpSession.getId(),newSession.getId()); - httpSession=newSession; + if (httpSession instanceof AbstractSession) + { + AbstractSession abstractSession = (AbstractSession)httpSession; + String oldId = abstractSession.getId(); + abstractSession.renewId(request); + abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + if (abstractSession.isIdChanged() && response != null && (response instanceof Response)) + ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure())); + LOG.debug("renew {}->{}",oldId,abstractSession.getId()); + } + else + LOG.warn("Unable to renew session "+httpSession); + + return httpSession; } } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index b7406e7556..3105d4baa6 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -33,6 +33,7 @@ import org.eclipse.jetty.security.SecurityHandler; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.UserIdentity.Scope; +import org.eclipse.jetty.server.session.AbstractSession; import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -107,7 +108,7 @@ public class SessionAuthentication implements Authentication.User, Serializable, if (security!=null) security.logout(this); if (_session!=null) - _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); + _session.removeAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); } @Override |