Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Wilkins2012-08-17 09:35:42 -0400
committerGreg Wilkins2012-08-17 09:35:42 -0400
commit086e74bed8250c3400ee192dc00403a71b6d1525 (patch)
tree768005ba309fa950f82cef684fc3cd37e483622e /jetty-security/src
parent7c94fd5f3c3bdd2c55568dc17bab43ffc69eedf0 (diff)
parentc82871b10f1110b6e30e3aaa485b6955ce6e639c (diff)
downloadorg.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.gz
org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.tar.xz
org.eclipse.jetty.project-086e74bed8250c3400ee192dc00403a71b6d1525.zip
jetty-9 merged jetty-8
Merge remote-tracking branch 'origin/jetty-8' into jetty-9 Conflicts: jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarFileResource.java jetty-util/src/test/java/org/eclipse/jetty/util/log/StdErrLogTest.java
Diffstat (limited to 'jetty-security/src')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java30
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java2
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java2
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java2
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java6
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java35
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java3
7 files changed, 51 insertions, 29 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 0baeef255b..262b40dcee 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -23,8 +23,11 @@ import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
+import org.eclipse.jetty.server.AbstractHttpConnection;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Request;
@@ -33,6 +36,7 @@ import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.ContextHandler.Context;
import org.eclipse.jetty.server.handler.HandlerWrapper;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
import org.eclipse.jetty.util.component.LifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -285,6 +289,32 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
getInitParameter(name)==null)
setInitParameter(name,context.getInitParameter(name));
}
+
+ //register a session listener to handle securing sessions when authentication is performed
+ context.getContextHandler().addEventListener(new HttpSessionListener()
+ {
+
+ public void sessionDestroyed(HttpSessionEvent se)
+ {
+
+ }
+
+ public void sessionCreated(HttpSessionEvent se)
+ {
+ //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user
+ AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
+ if (connection == null)
+ return;
+ Request request = connection.getRequest();
+ if (request == null)
+ return;
+
+ if (request.isSecure())
+ {
+ se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+ }
+ }
+ });
}
// complicated resolution of login and identity service to handle
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
index dec0ee78d1..81dfcb4360 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
@@ -83,7 +83,7 @@ public class BasicAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(username,password);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
index 2522037550..67eba6034b 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java
@@ -119,7 +119,7 @@ public class ClientCertAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(username,credential);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
index 505831963b..73cfc100a2 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java
@@ -183,7 +183,7 @@ public class DigestAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(digest.username,digest);
if (user!=null)
{
- renewSessionOnAuthentication(request,response);
+ renewSession(request,response);
return new UserAuthentication(getAuthMethod(),user);
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index 26196b7119..ab182b9bc5 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -189,8 +189,8 @@ public class FormAuthenticator extends LoginAuthenticator
if (!mandatory)
return _deferred;
- if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
- return Authentication.NOT_CHECKED;
+ if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())) &&!DeferredAuthentication.isDeferred(response))
+ return _deferred;
HttpSession session = request.getSession(true);
@@ -205,7 +205,7 @@ public class FormAuthenticator extends LoginAuthenticator
UserIdentity user = _loginService.login(username,password);
if (user!=null)
{
- session=renewSessionOnAuthentication(request,response);
+ session=renewSession(request,response);
// Redirect to original request
String nuri;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
index c730a9bab5..8bed85f9b3 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -13,10 +13,6 @@
package org.eclipse.jetty.security.authentication;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@@ -24,10 +20,10 @@ import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
public abstract class LoginAuthenticator implements Authenticator
{
- public final static String SESSION_SECURED="org.eclipse.jetty.security.secured";
protected final DeferredAuthentication _deferred=new DeferredAuthentication(this);
protected LoginService _loginService;
protected IdentityService _identityService;
@@ -53,34 +49,29 @@ public abstract class LoginAuthenticator implements Authenticator
return _loginService;
}
- /* ------------------------------------------------------------ */
- /** Change the session when the request is authenticated for the first time
+ /** Change the session id.
+ * The session is changed to a new instance with a new ID if and only if:<ul>
+ * <li>A session exists.
+ * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true.
+ * <li>The session ID has been given to unauthenticated responses
+ * </ul>
* @param request
* @param response
* @return The new session.
*/
- protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response)
+ protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response)
{
HttpSession httpSession = request.getSession(false);
- if (_renewSession && httpSession!=null && httpSession.getAttribute(SESSION_SECURED)==null)
+
+ //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
+ //(indicated by SESSION_SECURED not being set on the session) then we should change id
+ if (_renewSession && httpSession!=null && httpSession.getAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
{
synchronized (this)
{
- Map<String,Object> attributes = new HashMap<String, Object>();
- for (Enumeration<String> e=httpSession.getAttributeNames();e.hasMoreElements();)
- {
- String name=e.nextElement();
- attributes.put(name,httpSession.getAttribute(name));
- httpSession.removeAttribute(name);
- }
- httpSession.invalidate();
- httpSession = request.getSession(true);
- httpSession.setAttribute(SESSION_SECURED,Boolean.TRUE);
- for (Map.Entry<String, Object> entry: attributes.entrySet())
- httpSession.setAttribute(entry.getKey(),entry.getValue());
+ httpSession = AbstractSessionManager.renewSession(request, httpSession,true);
}
}
-
return httpSession;
}
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
index e63e597cca..368c1d6193 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@@ -29,6 +29,7 @@ import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.UserIdentity.Scope;
+import org.eclipse.jetty.server.session.AbstractSessionManager;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@@ -102,7 +103,7 @@ public class SessionAuthentication implements Authentication.User, Serializable,
if (security!=null)
security.logout(this);
if (_session!=null)
- _session.removeAttribute(LoginAuthenticator.SESSION_SECURED);
+ _session.removeAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
}
@Override

Back to the top