Java Code Examples for javax.servlet.SessionTrackingMode

The following examples show how to use javax.servlet.SessionTrackingMode. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may want to check out the right sidebar which shows the related API usage.
Example 1
Source Project: Tomcat8-Source-Read   Source File: Request.java    License: MIT License 6 votes vote down vote up
/**
 * Change the ID of the session that this request is associated with. There
 * are several things that may trigger an ID change. These include moving
 * between nodes in a cluster and session fixation prevention during the
 * authentication process.
 *
 * @param newSessionId   The session to change the session ID for
 */
public void changeSessionId(String newSessionId) {
    // This should only ever be called if there was an old session ID but
    // double check to be sure
    if (requestedSessionId != null && requestedSessionId.length() > 0) {
        requestedSessionId = newSessionId;
    }

    Context context = getContext();
    if (context != null &&
            !context.getServletContext()
                    .getEffectiveSessionTrackingModes()
                    .contains(SessionTrackingMode.COOKIE)) {
        return;
    }

    if (response != null) {
        Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context,
                newSessionId, isSecure());
        response.addSessionCookieInternal(newCookie);
    }
}
 
Example 2
Source Project: Tomcat8-Source-Read   Source File: ApplicationContext.java    License: MIT License 6 votes vote down vote up
private void populateSessionTrackingModes() {
    // URL re-writing is always enabled by default
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);
    supportedSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);

    if (context.getCookies()) {
        defaultSessionTrackingModes.add(SessionTrackingMode.COOKIE);
        supportedSessionTrackingModes.add(SessionTrackingMode.COOKIE);
    }

    // SSL not enabled by default as it can only used on its own
    // Context > Host > Engine > Service
    Connector[] connectors = service.findConnectors();
    // Need at least one SSL enabled connector to use the SSL session ID.
    for (Connector connector : connectors) {
        if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
            supportedSessionTrackingModes.add(SessionTrackingMode.SSL);
            break;
        }
    }
}
 
Example 3
Source Project: Tomcat7.0.67   Source File: Request.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Change the ID of the session that this request is associated with. There
 * are several things that may trigger an ID change. These include moving
 * between nodes in a cluster and session fixation prevention during the
 * authentication process.
 *
 * @param newSessionId   The session to change the session ID for
 */
public void changeSessionId(String newSessionId) {
    // This should only ever be called if there was an old session ID but
    // double check to be sure
    if (requestedSessionId != null && requestedSessionId.length() > 0) {
        requestedSessionId = newSessionId;
    }

    if (context != null && !context.getServletContext()
            .getEffectiveSessionTrackingModes().contains(
                    SessionTrackingMode.COOKIE)) {
        return;
    }

    if (response != null) {
        Cookie newCookie =
            ApplicationSessionCookieConfig.createSessionCookie(context,
                    newSessionId, secure);
        response.addSessionCookieInternal(newCookie);
    }
}
 
Example 4
Source Project: Tomcat7.0.67   Source File: ApplicationContext.java    License: Apache License 2.0 6 votes vote down vote up
private void populateSessionTrackingModes() {
    // URL re-writing is always enabled by default
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);
    supportedSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);

    if (context.getCookies()) {
        defaultSessionTrackingModes.add(SessionTrackingMode.COOKIE);
        supportedSessionTrackingModes.add(SessionTrackingMode.COOKIE);
    }

    // SSL not enabled by default as it can only used on its own
    // Context > Host > Engine > Service
    Service s = ((Engine) context.getParent().getParent()).getService();
    Connector[] connectors = s.findConnectors();
    // Need at least one SSL enabled connector to use the SSL session ID.
    for (Connector connector : connectors) {
        if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
            supportedSessionTrackingModes.add(SessionTrackingMode.SSL);
            break;
        }
    }
}
 
Example 5
Source Project: Tomcat8-Source-Read   Source File: ApplicationContextFacade.java    License: MIT License 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getEffectiveSessionTrackingModes", null);
    } else {
        return context.getEffectiveSessionTrackingModes();
    }
}
 
Example 6
Source Project: Tomcat8-Source-Read   Source File: ApplicationContextFacade.java    License: MIT License 5 votes vote down vote up
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        doPrivileged("setSessionTrackingModes",
                new Object[]{sessionTrackingModes});
    } else {
        context.setSessionTrackingModes(sessionTrackingModes);
    }
}
 
Example 7
Source Project: Tomcat8-Source-Read   Source File: ApplicationContext.java    License: MIT License 5 votes vote down vote up
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (sessionTrackingModes != null) {
        return sessionTrackingModes;
    }
    return defaultSessionTrackingModes;
}
 
Example 8
Source Project: Tomcat8-Source-Read   Source File: ApplicationContext.java    License: MIT License 5 votes vote down vote up
@Override
public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) {

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(
                sm.getString("applicationContext.setSessionTracking.ise",
                        getContextPath()));
    }

    // Check that only supported tracking modes have been requested
    for (SessionTrackingMode sessionTrackingMode : sessionTrackingModes) {
        if (!supportedSessionTrackingModes.contains(sessionTrackingMode)) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.invalid",
                    sessionTrackingMode.toString(), getContextPath()));
        }
    }

    // Check SSL has not be configured with anything else
    if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        if (sessionTrackingModes.size() > 1) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.ssl",
                    getContextPath()));
        }
    }

    this.sessionTrackingModes = sessionTrackingModes;
}
 
Example 9
Source Project: Tomcat8-Source-Read   Source File: TesterRequest.java    License: MIT License 5 votes vote down vote up
public TesterRequest(boolean withSession) {
    context = new TesterContext();
    servletContext = new TesterServletContext();
    context.setServletContext(servletContext);
    if (withSession) {
        Set<SessionTrackingMode> modes = new HashSet<>();
        modes.add(SessionTrackingMode.URL);
        modes.add(SessionTrackingMode.COOKIE);
        servletContext.setSessionTrackingModes(modes);
        session = new StandardSession(null);
        session.setId("1234", false);
        session.setValid(true);
    }
}
 
Example 10
Source Project: Tomcat7.0.67   Source File: ApplicationContext.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Return the supplied value if one was previously set, else return the
 * defaults.
 */
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (sessionTrackingModes != null) {
        return sessionTrackingModes;
    }
    return defaultSessionTrackingModes;
}
 
Example 11
Source Project: Tomcat7.0.67   Source File: ApplicationContext.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * @throws IllegalStateException if the context has already been initialised
 * @throws IllegalArgumentException If SSL is requested in combination with
 *                                  anything else or if an unsupported
 *                                  tracking mode is requested
 */
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(
                sm.getString("applicationContext.setSessionTracking.ise",
                        getContextPath()));
    }

    // Check that only supported tracking modes have been requested
    for (SessionTrackingMode sessionTrackingMode : sessionTrackingModes) {
        if (!supportedSessionTrackingModes.contains(sessionTrackingMode)) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.invalid",
                    sessionTrackingMode.toString(), getContextPath()));
        }
    }

    // Check SSL has not be configured with anything else
    if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        if (sessionTrackingModes.size() > 1) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.ssl",
                    getContextPath()));
        }
    }

    this.sessionTrackingModes = sessionTrackingModes;
}
 
Example 12
Source Project: lams   Source File: ServletContextImpl.java    License: GNU General Public License v2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) {
    ensureNotProgramaticListener();
    ensureNotInitialized();
    if (sessionTrackingModes.size() > 1 && sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        throw UndertowServletMessages.MESSAGES.sslCannotBeCombinedWithAnyOtherMethod();
    }
    this.sessionTrackingModes = new HashSet<>(sessionTrackingModes);
    //TODO: actually make this work
}
 
Example 13
Source Project: quarkus-http   Source File: ServletContextImpl.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) {
    ensureNotProgramaticListener();
    ensureNotInitialized();
    if (sessionTrackingModes.size() > 1 && sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        throw UndertowServletMessages.MESSAGES.sslCannotBeCombinedWithAnyOtherMethod();
    }
    this.sessionTrackingModes = new HashSet<>(sessionTrackingModes);
    //TODO: actually make this work
}
 
Example 14
Source Project: quarkus-http   Source File: HttpServletResponseImpl.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Return <code>true</code> if the specified URL should be encoded with
 * a session identifier.  This will be true if all of the following
 * conditions are met:
 * <ul>
 * <li>The request we are responding to asked for a valid session
 * <li>The requested session ID was not received via a cookie
 * <li>The specified URL points back to somewhere within the web
 * application that is responding to this request
 * </ul>
 *
 * @param location Absolute URL to be validated
 */
private boolean isEncodeable(final String location) {

    if (location == null)
        return (false);

    // Is this an intra-document reference?
    if (location.startsWith("#"))
        return (false);

    // Are we in a valid session that is not using cookies?
    final HttpServletRequestImpl hreq = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getOriginalRequest();

    // Is URL encoding permitted
    if (!originalServletContext.getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL)) {
        return false;
    }

    final HttpSession session = hreq.getSession(false);
    if (session == null) {
        return false;
    } else if(hreq.isRequestedSessionIdFromCookie()) {
        return false;
    } else if (!hreq.isRequestedSessionIdFromURL() && !session.isNew()) {
        return false;
    }

    return doIsEncodeable(hreq, session, location);
}
 
Example 15
@BeforeClass
public static void setup() {
    DeploymentUtils.setupServlet(new ServletExtension() {
        @Override
        public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
            deploymentInfo.setServletSessionConfig(new ServletSessionConfig().setSessionTrackingModes(Collections.singleton(SessionTrackingMode.URL)));
        }
    }, Servlets.servlet(URLRewritingServlet.class).addMapping("/foo"));
}
 
Example 16
Source Project: Spring-5.0-Cookbook   Source File: SpringWebInitializer.java    License: MIT License 5 votes vote down vote up
private void addRootContext(ServletContext container) {
  // Create the application context
  AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
  rootContext.register(SpringContextConfig.class); 
	 
  // Register application context with ContextLoaderListener
  container.addListener(new ContextLoaderListener(rootContext));
  container.addListener(new AppSessionListener());
  container.setInitParameter("contextConfigLocation", "org.packt.secured.mvc.core");
  container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting   
}
 
Example 17
Source Project: Spring-5.0-Cookbook   Source File: SpringWebinitializer.java    License: MIT License 5 votes vote down vote up
private void addRootContext(ServletContext container) {
  // Create the application context
  AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
  rootContext.register(SpringContextConfig.class); 
	 
  // Register application context with ContextLoaderListener
  container.addListener(new ContextLoaderListener(rootContext));
 container.setInitParameter("contextConfigLocation", "org.packt.web.reactor.security.config");
 container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting   
	 
}
 
Example 18
Source Project: Tomcat7.0.67   Source File: ApplicationContextFacade.java    License: Apache License 2.0 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getDefaultSessionTrackingModes", null);
    } else {
        return context.getDefaultSessionTrackingModes();
    }
}
 
Example 19
/**
 * Constructor.
 */
public DefaultHttpSessionManager() {
    attributeListeners = new ArrayList<>(1);
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.COOKIE);
    idListeners = new ArrayList<>(1);
    name = "JSESSIONID";
    sessionListeners = new ArrayList<>(1);
    sessionTimeout = 10;
    sessions = new ConcurrentHashMap<>();
}
 
Example 20
/**
 * Test getEffectiveSessionTrackingModes method.
 */
@Test
public void testGetEffectiveSessionTrackingModes() {
    DefaultWebApplication webApp = new DefaultWebApplication();
    Set<SessionTrackingMode> trackingModes = EnumSet.of(SessionTrackingMode.URL);
    webApp.setSessionTrackingModes(trackingModes);
    assertTrue(webApp.getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL));
}
 
Example 21
Source Project: Tomcat7.0.67   Source File: ApplicationContextFacade.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        doPrivileged("setSessionTrackingModes",
                new Object[]{sessionTrackingModes});
    } else {
        context.setSessionTrackingModes(sessionTrackingModes);
    }
}
 
Example 22
Source Project: Tomcat7.0.67   Source File: ApplicationContextFacade.java    License: Apache License 2.0 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getEffectiveSessionTrackingModes", null);
    } else {
        return context.getEffectiveSessionTrackingModes();
    }
}
 
Example 23
Source Project: Tomcat8-Source-Read   Source File: Response.java    License: MIT License 4 votes vote down vote up
/**
 * Return <code>true</code> if the specified URL should be encoded with
 * a session identifier.  This will be true if all of the following
 * conditions are met:
 * <ul>
 * <li>The request we are responding to asked for a valid session
 * <li>The requested session ID was not received via a cookie
 * <li>The specified URL points back to somewhere within the web
 *     application that is responding to this request
 * </ul>
 *
 * @param location Absolute URL to be validated
 * @return <code>true</code> if the URL should be encoded
 */
protected boolean isEncodeable(final String location) {

    if (location == null) {
        return false;
    }

    // Is this an intra-document reference?
    if (location.startsWith("#")) {
        return false;
    }

    // Are we in a valid session that is not using cookies?
    final Request hreq = request;
    final Session session = hreq.getSessionInternal(false);
    if (session == null) {
        return false;
    }
    if (hreq.isRequestedSessionIdFromCookie()) {
        return false;
    }

    // Is URL encoding permitted
    if (!hreq.getServletContext().getEffectiveSessionTrackingModes().
            contains(SessionTrackingMode.URL)) {
        return false;
    }

    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (
            AccessController.doPrivileged(new PrivilegedAction<Boolean>() {

            @Override
            public Boolean run(){
                return Boolean.valueOf(doIsEncodeable(hreq, session, location));
            }
        })).booleanValue();
    } else {
        return doIsEncodeable(hreq, session, location);
    }
}
 
Example 24
Source Project: Tomcat8-Source-Read   Source File: CoyoteAdapter.java    License: MIT License 4 votes vote down vote up
/**
 * Parse session id in Cookie.
 *
 * @param request The Servlet request object
 */
protected void parseSessionCookiesId(Request request) {

    // If session tracking via cookies has been disabled for the current
    // context, don't go looking for a session ID in a cookie as a cookie
    // from a parent context with a session ID may be present which would
    // overwrite the valid session ID encoded in the URL
    Context context = request.getMappingData().context;
    if (context != null && !context.getServletContext()
            .getEffectiveSessionTrackingModes().contains(
                    SessionTrackingMode.COOKIE)) {
        return;
    }

    // Parse session id from cookies
    ServerCookies serverCookies = request.getServerCookies();
    int count = serverCookies.getCookieCount();
    if (count <= 0) {
        return;
    }

    String sessionCookieName = SessionConfig.getSessionCookieName(context);

    for (int i = 0; i < count; i++) {
        ServerCookie scookie = serverCookies.getCookie(i);
        if (scookie.getName().equals(sessionCookieName)) {
            // Override anything requested in the URL
            if (!request.isRequestedSessionIdFromCookie()) {
                // Accept only the first session id cookie
                convertMB(scookie.getValue());
                request.setRequestedSessionId
                    (scookie.getValue().toString());
                request.setRequestedSessionCookie(true);
                request.setRequestedSessionURL(false);
                if (log.isDebugEnabled()) {
                    log.debug(" Requested cookie session id is " +
                        request.getRequestedSessionId());
                }
            } else {
                if (!request.isRequestedSessionIdValid()) {
                    // Replace the session id until one is valid
                    convertMB(scookie.getValue());
                    request.setRequestedSessionId
                        (scookie.getValue().toString());
                }
            }
        }
    }

}
 
Example 25
Source Project: lams   Source File: ServletSessionConfig.java    License: GNU General Public License v2.0 4 votes vote down vote up
public ServletSessionConfig setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) {
    this.sessionTrackingModes = sessionTrackingModes;
    return this;
}
 
Example 26
Source Project: Tomcat7.0.67   Source File: TesterServletContext.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {
    this.sessionTrackingModes.clear();
    this.sessionTrackingModes.addAll(sessionTrackingModes);
}
 
Example 27
Source Project: Tomcat8-Source-Read   Source File: ApplicationContext.java    License: MIT License 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
    return defaultSessionTrackingModes;
}
 
Example 28
Source Project: Tomcat8-Source-Read   Source File: SessionConfig.java    License: MIT License 4 votes vote down vote up
public EnumSet<SessionTrackingMode> getSessionTrackingModes() {
    return sessionTrackingModes;
}
 
Example 29
Source Project: Tomcat8-Source-Read   Source File: SessionConfig.java    License: MIT License 4 votes vote down vote up
public void addSessionTrackingMode(String sessionTrackingMode) {
    sessionTrackingModes.add(
            SessionTrackingMode.valueOf(sessionTrackingMode));
}
 
Example 30
Source Project: Tomcat8-Source-Read   Source File: JspCServletContext.java    License: MIT License 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
    return EnumSet.noneOf(SessionTrackingMode.class);
}