Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Wilkins2015-01-08 09:03:05 -0500
committerGreg Wilkins2015-01-08 09:03:05 -0500
commitc23f21c761ff56f2ad4841a98083b237494442de (patch)
treeb9bd3735791afe56b760d6dad8f83472bade9d4a /jetty-security
parent12f84c95920b120a5f96892cdd8f5216c961c49d (diff)
downloadorg.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.tar.gz
org.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.tar.xz
org.eclipse.jetty.project-c23f21c761ff56f2ad4841a98083b237494442de.zip
456956 Reduce ThreadLocal.remove() weak reference garbage
removed getCurrentChannel thread local
Diffstat (limited to 'jetty-security')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java2
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java6
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java7
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java5
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java27
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java3
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java13
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java6
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java4
-rw-r--r--jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java4
10 files changed, 27 insertions, 50 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
index 28b2f59b5c..f15e20113b 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
@@ -675,7 +675,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
if (dataConstraint == null || dataConstraint == UserDataConstraint.None)
return true;
- HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration();
+ HttpConfiguration httpConfig = Request.getBaseRequest(request).getHttpChannel().getHttpConfiguration();
if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral)
{
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
index fbef6ddfcc..38562d525b 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
@@ -29,6 +29,8 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
+import javax.servlet.ServletRequest;
+
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.Loader;
import org.eclipse.jetty.util.log.Log;
@@ -210,7 +212,7 @@ public class JDBCLoginService extends MappedLoginService
/* ------------------------------------------------------------ */
@Override
- public UserIdentity login(String username, Object credentials)
+ public UserIdentity login(String username, Object credentials, ServletRequest request)
{
long now = System.currentTimeMillis();
if (now - _lastHashPurge > _cacheTime || _cacheTime == 0)
@@ -220,7 +222,7 @@ public class JDBCLoginService extends MappedLoginService
closeConnection();
}
- return super.login(username,credentials);
+ return super.login(username,credentials, request);
}
/* ------------------------------------------------------------ */
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
index 653f7c69fc..e481ca97d4 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java
@@ -18,6 +18,8 @@
package org.eclipse.jetty.security;
+import javax.servlet.ServletRequest;
+
import org.eclipse.jetty.server.UserIdentity;
@@ -42,14 +44,15 @@ public interface LoginService
/** Login a user.
* @param username The user name
* @param credentials The users credentials
+ * @param request TODO
* @return A UserIdentity if the credentials matched, otherwise null
*/
- UserIdentity login(String username,Object credentials);
+ UserIdentity login(String username,Object credentials, ServletRequest request);
/* ------------------------------------------------------------ */
/** Validate a user identity.
* Validate that a UserIdentity previously created by a call
- * to {@link #login(String, Object)} is still valid.
+ * to {@link #login(String, Object, ServletRequest)} is still valid.
* @param user The user to validate
* @return true if authentication has not been revoked for the user.
*/
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
index 752fd26a46..70b4c95329 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
@@ -27,6 +27,7 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.security.auth.Subject;
+import javax.servlet.ServletRequest;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
@@ -208,9 +209,9 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
/* ------------------------------------------------------------ */
/**
- * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object)
+ * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object, ServletRequest)
*/
- public UserIdentity login(String username, Object credentials)
+ public UserIdentity login(String username, Object credentials, ServletRequest request)
{
if (username == null)
return null;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index e64cf02f41..ffd4db6939 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -309,33 +309,6 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
getInitParameter(name)==null)
setInitParameter(name,context.getInitParameter(name));
}
-
- //register a session listener to handle securing sessions when authentication is performed
- context.getContextHandler().addEventListener(new HttpSessionListener()
- {
- @Override
- public void sessionDestroyed(HttpSessionEvent se)
- {
- }
-
- @Override
- public void sessionCreated(HttpSessionEvent se)
- {
- //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user
- HttpChannel channel = HttpChannel.getCurrentHttpChannel();
-
- if (channel == null)
- return;
- Request request = channel.getRequest();
- if (request == null)
- return;
-
- if (request.isSecure())
- {
- se.getSession().setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
- }
- }
- });
}
// complicated resolution of login and identity service to handle
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
index cc59b47ebe..3614ab5559 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java
@@ -21,6 +21,7 @@ package org.eclipse.jetty.security;
import java.util.Properties;
import javax.security.auth.Subject;
+import javax.servlet.ServletRequest;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.B64Code;
@@ -112,7 +113,7 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic
* username will be null since the credentials will contain all the relevant info
*/
@Override
- public UserIdentity login(String username, Object credentials)
+ public UserIdentity login(String username, Object credentials, ServletRequest request)
{
String encodedAuthToken = (String)credentials;
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index c0dd461d3d..a0c71fd31f 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -235,7 +235,7 @@ public class FormAuthenticator extends LoginAuthenticator
//restore the original request's method on this request
if (LOG.isDebugEnabled()) LOG.debug("Restoring original method {} for {} with method {}", method, juri,httpRequest.getMethod());
- Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
+ Request base_request = Request.getBaseRequest(request);
base_request.setMethod(method);
}
@@ -245,6 +245,9 @@ public class FormAuthenticator extends LoginAuthenticator
{
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
+ Request base_request = Request.getBaseRequest(request);
+ Response base_response = base_request.getResponse();
+
String uri = request.getRequestURI();
if (uri==null)
uri=URIUtil.SLASH;
@@ -289,8 +292,6 @@ public class FormAuthenticator extends LoginAuthenticator
LOG.debug("authenticated {}->{}",form_auth,nuri);
response.setContentLength(0);
- Request base_request = Request.getBaseRequest(req);
- Response base_response = base_request.getResponse();
int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri));
return form_auth;
@@ -316,8 +317,6 @@ public class FormAuthenticator extends LoginAuthenticator
else
{
LOG.debug("auth failed {}->{}",username,_formErrorPage);
- Response base_response = HttpChannel.getCurrentHttpChannel().getResponse();
- Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage)));
}
@@ -357,7 +356,6 @@ public class FormAuthenticator extends LoginAuthenticator
if (j_post!=null)
{
LOG.debug("auth rePOST {}->{}",authentication,j_uri);
- Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
base_request.setContentParameters(j_post);
}
session.removeAttribute(__J_URI);
@@ -392,7 +390,6 @@ public class FormAuthenticator extends LoginAuthenticator
if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod()))
{
- Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest();
MultiMap<String> formParameters = new MultiMap<>();
base_request.extractFormParameters(formParameters);
session.setAttribute(__J_POST, formParameters);
@@ -412,8 +409,6 @@ public class FormAuthenticator extends LoginAuthenticator
else
{
LOG.debug("challenge {}->{}",session.getId(),_formLoginPage);
- Response base_response = HttpChannel.getCurrentHttpChannel().getResponse();
- Request base_request = HttpChannel.getCurrentHttpChannel().getRequest();
int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage)));
}
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
index 0f2e09732b..ea559ff6c7 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
@@ -58,7 +58,7 @@ public abstract class LoginAuthenticator implements Authenticator
/* ------------------------------------------------------------ */
public UserIdentity login(String username, Object password, ServletRequest request)
{
- UserIdentity user = _loginService.login(username,password);
+ UserIdentity user = _loginService.login(username,password, request);
if (user!=null)
{
renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null));
@@ -109,14 +109,14 @@ public abstract class LoginAuthenticator implements Authenticator
{
//if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users
//(indicated by SESSION_SECURED not being set on the session) then we should change id
- if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE)
+ if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE)
{
if (httpSession instanceof AbstractSession)
{
AbstractSession abstractSession = (AbstractSession)httpSession;
String oldId = abstractSession.getId();
abstractSession.renewId(request);
- abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE);
+ abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE);
if (abstractSession.isIdChanged() && response != null && (response instanceof Response))
((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure()));
LOG.debug("renew {}->{}",oldId,abstractSession.getId());
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
index ddc1732d55..3a7c006b51 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java
@@ -71,7 +71,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements
if (login_service==null)
throw new IllegalStateException("!LoginService");
- _userIdentity=login_service.login(_name,_credentials);
+ _userIdentity=login_service.login(_name,_credentials, null);
LOG.debug("Deserialized and relogged in {}",this);
}
@@ -89,7 +89,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements
if (security!=null)
security.logout(this);
if (_session!=null)
- _session.removeAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED);
+ _session.removeAttribute(AbstractSession.SESSION_CREATED_SECURE);
}
@Override
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
index 5d1e3d35fd..77f4dd9475 100644
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java
@@ -20,7 +20,9 @@ package org.eclipse.jetty.security;
import java.io.IOException;
import java.util.Arrays;
+
import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -436,7 +438,7 @@ public class DataConstraintsTest
}
@Override
- public UserIdentity login(String username, Object credentials)
+ public UserIdentity login(String username, Object credentials, ServletRequest request)
{
if("admin".equals(username) && "password".equals(credentials))
return new DefaultUserIdentity(null,null,new String[] { "admin" } );

Back to the top