diff options
author | Greg Wilkins | 2015-01-08 14:03:05 +0000 |
---|---|---|
committer | Greg Wilkins | 2015-01-08 14:03:05 +0000 |
commit | c23f21c761ff56f2ad4841a98083b237494442de (patch) | |
tree | b9bd3735791afe56b760d6dad8f83472bade9d4a /jetty-security/src | |
parent | 12f84c95920b120a5f96892cdd8f5216c961c49d (diff) | |
download | org.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.tar.gz org.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.tar.xz org.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.zip |
456956 Reduce ThreadLocal.remove() weak reference garbage
removed getCurrentChannel thread local
Diffstat (limited to 'jetty-security/src')
10 files changed, 27 insertions, 50 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 28b2f59b5c..f15e20113b 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -675,7 +675,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr if (dataConstraint == null || dataConstraint == UserDataConstraint.None) return true; - HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration(); + HttpConfiguration httpConfig = Request.getBaseRequest(request).getHttpChannel().getHttpConfiguration(); if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral) { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java index fbef6ddfcc..38562d525b 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java @@ -29,6 +29,8 @@ import java.util.ArrayList; import java.util.List; import java.util.Properties; +import javax.servlet.ServletRequest; + import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.log.Log; @@ -210,7 +212,7 @@ public class JDBCLoginService extends MappedLoginService /* ------------------------------------------------------------ */ @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { long now = System.currentTimeMillis(); if (now - _lastHashPurge > _cacheTime || _cacheTime == 0) @@ -220,7 +222,7 @@ public class JDBCLoginService extends MappedLoginService closeConnection(); } - return super.login(username,credentials); + return super.login(username,credentials, request); } /* ------------------------------------------------------------ */ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java index 653f7c69fc..e481ca97d4 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java @@ -18,6 +18,8 @@ package org.eclipse.jetty.security; +import javax.servlet.ServletRequest; + import org.eclipse.jetty.server.UserIdentity; @@ -42,14 +44,15 @@ public interface LoginService /** Login a user. * @param username The user name * @param credentials The users credentials + * @param request TODO * @return A UserIdentity if the credentials matched, otherwise null */ - UserIdentity login(String username,Object credentials); + UserIdentity login(String username,Object credentials, ServletRequest request); /* ------------------------------------------------------------ */ /** Validate a user identity. * Validate that a UserIdentity previously created by a call - * to {@link #login(String, Object)} is still valid. + * to {@link #login(String, Object, ServletRequest)} is still valid. * @param user The user to validate * @return true if authentication has not been revoked for the user. */ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java index 752fd26a46..70b4c95329 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java @@ -27,6 +27,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import javax.security.auth.Subject; +import javax.servlet.ServletRequest; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.component.AbstractLifeCycle; @@ -208,9 +209,9 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo /* ------------------------------------------------------------ */ /** - * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object) + * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object, ServletRequest) */ - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { if (username == null) return null; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index e64cf02f41..ffd4db6939 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -309,33 +309,6 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti getInitParameter(name)==null) setInitParameter(name,context.getInitParameter(name)); } - - //register a session listener to handle securing sessions when authentication is performed - context.getContextHandler().addEventListener(new HttpSessionListener() - { - @Override - public void sessionDestroyed(HttpSessionEvent se) - { - } - - @Override - public void sessionCreated(HttpSessionEvent se) - { - //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user - HttpChannel channel = HttpChannel.getCurrentHttpChannel(); - - if (channel == null) - return; - Request request = channel.getRequest(); - if (request == null) - return; - - if (request.isSecure()) - { - se.getSession().setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); - } - } - }); } // complicated resolution of login and identity service to handle diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java index cc59b47ebe..3614ab5559 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java @@ -21,6 +21,7 @@ package org.eclipse.jetty.security; import java.util.Properties; import javax.security.auth.Subject; +import javax.servlet.ServletRequest; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.B64Code; @@ -112,7 +113,7 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic * username will be null since the credentials will contain all the relevant info */ @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { String encodedAuthToken = (String)credentials; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index c0dd461d3d..a0c71fd31f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -235,7 +235,7 @@ public class FormAuthenticator extends LoginAuthenticator //restore the original request's method on this request if (LOG.isDebugEnabled()) LOG.debug("Restoring original method {} for {} with method {}", method, juri,httpRequest.getMethod()); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); + Request base_request = Request.getBaseRequest(request); base_request.setMethod(method); } @@ -245,6 +245,9 @@ public class FormAuthenticator extends LoginAuthenticator { HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; + Request base_request = Request.getBaseRequest(request); + Response base_response = base_request.getResponse(); + String uri = request.getRequestURI(); if (uri==null) uri=URIUtil.SLASH; @@ -289,8 +292,6 @@ public class FormAuthenticator extends LoginAuthenticator LOG.debug("authenticated {}->{}",form_auth,nuri); response.setContentLength(0); - Request base_request = Request.getBaseRequest(req); - Response base_response = base_request.getResponse(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri)); return form_auth; @@ -316,8 +317,6 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("auth failed {}->{}",username,_formErrorPage); - Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); } @@ -357,7 +356,6 @@ public class FormAuthenticator extends LoginAuthenticator if (j_post!=null) { LOG.debug("auth rePOST {}->{}",authentication,j_uri); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); base_request.setContentParameters(j_post); } session.removeAttribute(__J_URI); @@ -392,7 +390,6 @@ public class FormAuthenticator extends LoginAuthenticator if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod())) { - Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest(); MultiMap<String> formParameters = new MultiMap<>(); base_request.extractFormParameters(formParameters); session.setAttribute(__J_POST, formParameters); @@ -412,8 +409,6 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("challenge {}->{}",session.getId(),_formLoginPage); - Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 0f2e09732b..ea559ff6c7 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -58,7 +58,7 @@ public abstract class LoginAuthenticator implements Authenticator /* ------------------------------------------------------------ */ public UserIdentity login(String username, Object password, ServletRequest request) { - UserIdentity user = _loginService.login(username,password); + UserIdentity user = _loginService.login(username,password, request); if (user!=null) { renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null)); @@ -109,14 +109,14 @@ public abstract class LoginAuthenticator implements Authenticator { //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users //(indicated by SESSION_SECURED not being set on the session) then we should change id - if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) + if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE) { if (httpSession instanceof AbstractSession) { AbstractSession abstractSession = (AbstractSession)httpSession; String oldId = abstractSession.getId(); abstractSession.renewId(request); - abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE); if (abstractSession.isIdChanged() && response != null && (response instanceof Response)) ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure())); LOG.debug("renew {}->{}",oldId,abstractSession.getId()); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index ddc1732d55..3a7c006b51 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -71,7 +71,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements if (login_service==null) throw new IllegalStateException("!LoginService"); - _userIdentity=login_service.login(_name,_credentials); + _userIdentity=login_service.login(_name,_credentials, null); LOG.debug("Deserialized and relogged in {}",this); } @@ -89,7 +89,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements if (security!=null) security.logout(this); if (_session!=null) - _session.removeAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); + _session.removeAttribute(AbstractSession.SESSION_CREATED_SECURE); } @Override diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java index 5d1e3d35fd..77f4dd9475 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java @@ -20,7 +20,9 @@ package org.eclipse.jetty.security; import java.io.IOException; import java.util.Arrays; + import javax.servlet.ServletException; +import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -436,7 +438,7 @@ public class DataConstraintsTest } @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { if("admin".equals(username) && "password".equals(credentials)) return new DefaultUserIdentity(null,null,new String[] { "admin" } ); |