Java Code Examples for io.undertow.servlet.spec.HttpSessionImpl#getSession()
The following examples show how to use
io.undertow.servlet.spec.HttpSessionImpl#getSession() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ServletFormAuthenticationMechanism.java From quarkus-http with Apache License 2.0 | 6 votes |
|
/**
* This method doesn't save content of request but instead uses data from parameter.
* This should be used in case that data from request was already read and therefore it is not possible to save them.
*
* @param exchange
* @param bytes
* @param contentLength
*/
protected void storeInitialLocation(final HttpServerExchange exchange, byte[] bytes, int contentLength) {
if(!saveOriginalRequest) {
return;
}
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
SessionManager manager = session.getSessionManager();
if (seenSessionManagers.add(manager)) {
manager.registerSessionListener(LISTENER);
}
session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
if(bytes == null) {
SavedRequest.trySaveRequest(exchange);
} else {
SavedRequest.trySaveRequest(exchange, bytes, contentLength);
}
}
Example 2
| Source File: ServletFormAuthenticationMechanism.java From quarkus-http with Apache License 2.0 | 6 votes |
|
@Override
protected void handleRedirectBack(final HttpServerExchange exchange) {
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpServletResponse resp = (HttpServletResponse) servletRequestContext.getServletResponse();
HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, false);
if (httpSession != null) {
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
String path = (String) session.getAttribute(SESSION_KEY);
if (path != null) {
try {
resp.sendRedirect(path);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
}
Example 3
| Source File: JsrWebSocketFilter.java From quarkus-http with Apache License 2.0 | 6 votes |
|
@Override
public void sessionDestroyed(HttpSessionEvent se) {
HttpSessionImpl session = (HttpSessionImpl) se.getSession();
final Session underlying;
if (System.getSecurityManager() == null) {
underlying = session.getSession();
} else {
underlying = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
List<UndertowSession> connections = (List<UndertowSession>) underlying.getAttribute(SESSION_ATTRIBUTE);
if (connections != null) {
synchronized (underlying) {
for (UndertowSession c : connections) {
try {
c.close(new CloseReason(CloseReason.CloseCodes.VIOLATED_POLICY, ""));
} catch (IOException e) {
UndertowLogger.REQUEST_IO_LOGGER.ioException(e);
}
}
}
}
}
Example 4
| Source File: ServletFormAuthenticationMechanism.java From lams with GNU General Public License v2.0 | 6 votes |
|
/**
* This method doesn't save content of request but instead uses data from parameter.
* This should be used in case that data from request was already read and therefore it is not possible to save them.
*
* @param exchange
* @param bytes
* @param contentLength
*/
protected void storeInitialLocation(final HttpServerExchange exchange, byte[] bytes, int contentLength) {
if(!saveOriginalRequest) {
return;
}
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
SessionManager manager = session.getSessionManager();
if (seenSessionManagers.add(manager)) {
manager.registerSessionListener(LISTENER);
}
session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
if(bytes == null) {
SavedRequest.trySaveRequest(exchange);
} else {
SavedRequest.trySaveRequest(exchange, bytes, contentLength);
}
}
Example 5
| Source File: ServletFormAuthenticationMechanism.java From lams with GNU General Public License v2.0 | 6 votes |
|
@Override
protected void handleRedirectBack(final HttpServerExchange exchange) {
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpServletResponse resp = (HttpServletResponse) servletRequestContext.getServletResponse();
HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, false);
if (httpSession != null) {
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
String path = (String) session.getAttribute(SESSION_KEY);
if (path != null) {
try {
resp.sendRedirect(path);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
}
Example 6
| Source File: ChangeSessionId.java From keycloak with Apache License 2.0 | 6 votes |
|
public static String changeSessionId(HttpServerExchange exchange, boolean create) {
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
ServletContextImpl currentServletContext = sc.getCurrentServletContext();
HttpSessionImpl session = currentServletContext.getSession(exchange, create);
if (session == null) {
return null;
}
Session underlyingSession;
if(System.getSecurityManager() == null) {
underlyingSession = session.getSession();
} else {
underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
return underlyingSession.changeSessionId(exchange, currentServletContext.getSessionConfig());
}
Example 7
| Source File: ServletSingleSignOnAuthenticationMechanism.java From quarkus-http with Apache License 2.0 | 5 votes |
|
@Override
protected Session getSession(HttpServerExchange exchange) {
ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
final HttpSessionImpl session = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
if(System.getSecurityManager() == null) {
return session.getSession();
} else {
return AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
}
Example 8
| Source File: CachedAuthenticatedSessionHandler.java From quarkus-http with Apache License 2.0 | 5 votes |
|
protected Session underlyingSession(HttpSessionImpl httpSession) {
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
return session;
}
Example 9
| Source File: SavedRequest.java From quarkus-http with Apache License 2.0 | 5 votes |
|
public static void trySaveRequest(final HttpServerExchange exchange, final byte[] buffer, int length) {
int maxSize = exchange.getUndertowOptions().get(UndertowOptions.MAX_BUFFERED_REQUEST_SIZE, UndertowOptions.DEFAULT_MAX_BUFFERED_REQUEST_SIZE);
if (maxSize > 0) {
if (length > maxSize) {
UndertowLogger.REQUEST_LOGGER.debugf("Request to %s was to large to save", exchange.getRequestURI());
return;//failed to save the request, we just return
}
//TODO: we should really be used pooled buffers
//TODO: we should probably limit the number of saved requests at any given time
HttpHeaders headers = new DefaultHttpHeaders();
for (String entry : exchange.getRequestHeaderNames()) {
if (entry.equals(HttpHeaderNames.CONTENT_LENGTH) ||
entry.equals(HttpHeaderNames.TRANSFER_ENCODING) ||
entry.equals(HttpHeaderNames.CONNECTION)) {
continue;
}
headers.set(entry, exchange.getRequestHeaders(entry));
}
SavedRequest request = new SavedRequest(buffer, length, exchange.getRequestMethod(), exchange.getRelativePath(), headers);
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
Session underlyingSession;
if (System.getSecurityManager() == null) {
underlyingSession = session.getSession();
} else {
underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
underlyingSession.setAttribute(SESSION_KEY, request);
}
}
Example 10
| Source File: ServletSingleSignOnAuthenticationMechanism.java From lams with GNU General Public License v2.0 | 5 votes |
|
@Override
protected Session getSession(HttpServerExchange exchange) {
ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
final HttpSessionImpl session = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
if(System.getSecurityManager() == null) {
return session.getSession();
} else {
return AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
}
Example 11
| Source File: CachedAuthenticatedSessionHandler.java From lams with GNU General Public License v2.0 | 5 votes |
|
protected Session underlyingSession(HttpSessionImpl httpSession) {
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
return session;
}
Example 12
| Source File: SavedRequest.java From lams with GNU General Public License v2.0 | 5 votes |
|
public static void trySaveRequest(final HttpServerExchange exchange, final byte[] buffer, int length) {
int maxSize = exchange.getConnection().getUndertowOptions().get(UndertowOptions.MAX_BUFFERED_REQUEST_SIZE, UndertowOptions.DEFAULT_MAX_BUFFERED_REQUEST_SIZE);
if (maxSize > 0) {
if (length > maxSize) {
UndertowLogger.REQUEST_LOGGER.debugf("Request to %s was to large to save", exchange.getRequestURI());
return;//failed to save the request, we just return
}
//TODO: we should really be used pooled buffers
//TODO: we should probably limit the number of saved requests at any given time
HeaderMap headers = new HeaderMap();
for (HeaderValues entry : exchange.getRequestHeaders()) {
if (entry.getHeaderName().equals(Headers.CONTENT_LENGTH) ||
entry.getHeaderName().equals(Headers.TRANSFER_ENCODING) ||
entry.getHeaderName().equals(Headers.CONNECTION)) {
continue;
}
headers.putAll(entry.getHeaderName(), entry);
}
SavedRequest request = new SavedRequest(buffer, length, exchange.getRequestMethod(), exchange.getRelativePath(), exchange.getRequestHeaders());
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
Session underlyingSession;
if (System.getSecurityManager() == null) {
underlyingSession = session.getSession();
} else {
underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
underlyingSession.setAttribute(SESSION_KEY, request);
}
}
Example 13
| Source File: SsoHandler.java From lams with GNU General Public License v2.0 | 5 votes |
|
/**
* Notifies authentication mechanism where it should redirect after log in. Based on
* ServletFormAuthenticationMechanism method.
*/
private static void handleRedirectBack(ServletRequestContext context, String redirectURL) {
/*
* Prevent HTTP Response Splitting attack by sanitizing redirectURL.
* The attack was possible by changing action of login form to, for example,
* "j_security_check?redirectURL=%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever"
* Putting it in redirectURL form field or using another GET parameter ("something", "j_username") did not work.
* The result was a split HTTP response with AppScanHeader and SecondAppScanHeader set, resultint in a security
* threat.
*/
if (redirectURL.contains("\n") || redirectURL.contains("\r")) {
throw new SecurityException(
"redirectURL contains forbidden characters: \\n or \\r. Possible HTTP Response Splitting attack.");
}
HttpSessionImpl httpSession = context.getCurrentServletContext().getSession(context.getExchange(), true);
if (httpSession != null) {
Session session;
if (System.getSecurityManager() == null) {
session = httpSession.getSession();
} else {
session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
}
session.setAttribute(SsoHandler.REDIRECT_KEY, redirectURL);
}
}
Example 14
| Source File: SavedRequest.java From keycloak with Apache License 2.0 | 5 votes |
|
public static void trySaveRequest(final HttpServerExchange exchange) {
io.undertow.servlet.util.SavedRequest.trySaveRequest(exchange);
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
Session underlyingSession;
if(System.getSecurityManager() == null) {
underlyingSession = session.getSession();
} else {
underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
}
io.undertow.servlet.util.SavedRequest request = (io.undertow.servlet.util.SavedRequest) underlyingSession.removeAttribute(io.undertow.servlet.util.SavedRequest.class.getName());
if (request != null) underlyingSession.setAttribute(SESSION_KEY, request);
}
