diff options
author | Jan Bartel | 2012-07-27 05:31:34 +0000 |
---|---|---|
committer | Jan Bartel | 2012-07-27 05:31:34 +0000 |
commit | 748f06cad7901d7a54d33bfba4f45e67993b73b4 (patch) | |
tree | bb4bc134ce83ccb89ce457057a7f1ad8c4aa4b68 /jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java | |
parent | 2de6fa5c3557008565c61da25e6f75ff1f736217 (diff) | |
download | org.eclipse.jetty.project-748f06cad7901d7a54d33bfba4f45e67993b73b4.tar.gz org.eclipse.jetty.project-748f06cad7901d7a54d33bfba4f45e67993b73b4.tar.xz org.eclipse.jetty.project-748f06cad7901d7a54d33bfba4f45e67993b73b4.zip |
JETTY-1529 Ensure new session that has just been authenticated does not get renewed
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java')
-rw-r--r-- | jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index d6f69bbb91..6d8794e8eb 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -24,8 +24,11 @@ import java.util.Set; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; import org.eclipse.jetty.security.authentication.DeferredAuthentication; +import org.eclipse.jetty.server.AbstractHttpConnection; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Request; @@ -34,6 +37,7 @@ import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler.Context; import org.eclipse.jetty.server.handler.HandlerWrapper; +import org.eclipse.jetty.server.session.AbstractSessionManager; import org.eclipse.jetty.util.component.LifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Logger; @@ -286,6 +290,32 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti getInitParameter(name)==null) setInitParameter(name,context.getInitParameter(name)); } + + //register a session listener to handle securing sessions when authentication is performed + context.getContextHandler().addEventListener(new HttpSessionListener() + { + + public void sessionDestroyed(HttpSessionEvent se) + { + + } + + public void sessionCreated(HttpSessionEvent se) + { + //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user + AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection(); + if (connection == null) + return; + Request request = connection.getRequest(); + if (request == null) + return; + + if (request.isSecure()) + { + se.getSession().setAttribute(AbstractSessionManager.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + } + } + }); } // complicated resolution of login and identity service to handle |