javax.servlet.SessionTrackingMode Java Examples

The following examples show how to use javax.servlet.SessionTrackingMode. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ApplicationContext.java    From Tomcat7.0.67 with Apache License 2.0 6 votes vote down vote up
private void populateSessionTrackingModes() {
    // URL re-writing is always enabled by default
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);
    supportedSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);

    if (context.getCookies()) {
        defaultSessionTrackingModes.add(SessionTrackingMode.COOKIE);
        supportedSessionTrackingModes.add(SessionTrackingMode.COOKIE);
    }

    // SSL not enabled by default as it can only used on its own
    // Context > Host > Engine > Service
    Service s = ((Engine) context.getParent().getParent()).getService();
    Connector[] connectors = s.findConnectors();
    // Need at least one SSL enabled connector to use the SSL session ID.
    for (Connector connector : connectors) {
        if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
            supportedSessionTrackingModes.add(SessionTrackingMode.SSL);
            break;
        }
    }
}
 
Example #2
Source File: ApplicationContext.java    From Tomcat8-Source-Read with MIT License 6 votes vote down vote up
private void populateSessionTrackingModes() {
    // URL re-writing is always enabled by default
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);
    supportedSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL);

    if (context.getCookies()) {
        defaultSessionTrackingModes.add(SessionTrackingMode.COOKIE);
        supportedSessionTrackingModes.add(SessionTrackingMode.COOKIE);
    }

    // SSL not enabled by default as it can only used on its own
    // Context > Host > Engine > Service
    Connector[] connectors = service.findConnectors();
    // Need at least one SSL enabled connector to use the SSL session ID.
    for (Connector connector : connectors) {
        if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
            supportedSessionTrackingModes.add(SessionTrackingMode.SSL);
            break;
        }
    }
}
 
Example #3
Source File: Request.java    From Tomcat8-Source-Read with MIT License 6 votes vote down vote up
/**
 * Change the ID of the session that this request is associated with. There
 * are several things that may trigger an ID change. These include moving
 * between nodes in a cluster and session fixation prevention during the
 * authentication process.
 *
 * @param newSessionId   The session to change the session ID for
 */
public void changeSessionId(String newSessionId) {
    // This should only ever be called if there was an old session ID but
    // double check to be sure
    if (requestedSessionId != null && requestedSessionId.length() > 0) {
        requestedSessionId = newSessionId;
    }

    Context context = getContext();
    if (context != null &&
            !context.getServletContext()
                    .getEffectiveSessionTrackingModes()
                    .contains(SessionTrackingMode.COOKIE)) {
        return;
    }

    if (response != null) {
        Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context,
                newSessionId, isSecure());
        response.addSessionCookieInternal(newCookie);
    }
}
 
Example #4
Source File: Request.java    From Tomcat7.0.67 with Apache License 2.0 6 votes vote down vote up
/**
 * Change the ID of the session that this request is associated with. There
 * are several things that may trigger an ID change. These include moving
 * between nodes in a cluster and session fixation prevention during the
 * authentication process.
 *
 * @param newSessionId   The session to change the session ID for
 */
public void changeSessionId(String newSessionId) {
    // This should only ever be called if there was an old session ID but
    // double check to be sure
    if (requestedSessionId != null && requestedSessionId.length() > 0) {
        requestedSessionId = newSessionId;
    }

    if (context != null && !context.getServletContext()
            .getEffectiveSessionTrackingModes().contains(
                    SessionTrackingMode.COOKIE)) {
        return;
    }

    if (response != null) {
        Cookie newCookie =
            ApplicationSessionCookieConfig.createSessionCookie(context,
                    newSessionId, secure);
        response.addSessionCookieInternal(newCookie);
    }
}
 
Example #5
Source File: ServletURLRewritingSessionTestCase.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setup() {
    DeploymentUtils.setupServlet(new ServletExtension() {
        @Override
        public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
            deploymentInfo.setServletSessionConfig(new ServletSessionConfig().setSessionTrackingModes(Collections.singleton(SessionTrackingMode.URL)));
        }
    }, Servlets.servlet(URLRewritingServlet.class).addMapping("/foo"));
}
 
Example #6
Source File: ApplicationContext.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (sessionTrackingModes != null) {
        return sessionTrackingModes;
    }
    return defaultSessionTrackingModes;
}
 
Example #7
Source File: ApplicationContextFacade.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getEffectiveSessionTrackingModes", null);
    } else {
        return context.getEffectiveSessionTrackingModes();
    }
}
 
Example #8
Source File: ApplicationContext.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
@Override
public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) {

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(
                sm.getString("applicationContext.setSessionTracking.ise",
                        getContextPath()));
    }

    // Check that only supported tracking modes have been requested
    for (SessionTrackingMode sessionTrackingMode : sessionTrackingModes) {
        if (!supportedSessionTrackingModes.contains(sessionTrackingMode)) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.invalid",
                    sessionTrackingMode.toString(), getContextPath()));
        }
    }

    // Check SSL has not be configured with anything else
    if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        if (sessionTrackingModes.size() > 1) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.ssl",
                    getContextPath()));
        }
    }

    this.sessionTrackingModes = sessionTrackingModes;
}
 
Example #9
Source File: ApplicationContextFacade.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        doPrivileged("setSessionTrackingModes",
                new Object[]{sessionTrackingModes});
    } else {
        context.setSessionTrackingModes(sessionTrackingModes);
    }
}
 
Example #10
Source File: ApplicationContextFacade.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        doPrivileged("setSessionTrackingModes",
                new Object[]{sessionTrackingModes});
    } else {
        context.setSessionTrackingModes(sessionTrackingModes);
    }
}
 
Example #11
Source File: ApplicationContextFacade.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getEffectiveSessionTrackingModes", null);
    } else {
        return context.getEffectiveSessionTrackingModes();
    }
}
 
Example #12
Source File: SpringWebinitializer.java    From Spring-5.0-Cookbook with MIT License 5 votes vote down vote up
private void addRootContext(ServletContext container) {
  // Create the application context
  AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
  rootContext.register(SpringContextConfig.class); 
	 
  // Register application context with ContextLoaderListener
  container.addListener(new ContextLoaderListener(rootContext));
 container.setInitParameter("contextConfigLocation", "org.packt.web.reactor.security.config");
 container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting   
	 
}
 
Example #13
Source File: TesterRequest.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
public TesterRequest(boolean withSession) {
    context = new TesterContext();
    servletContext = new TesterServletContext();
    context.setServletContext(servletContext);
    if (withSession) {
        Set<SessionTrackingMode> modes = new HashSet<>();
        modes.add(SessionTrackingMode.URL);
        modes.add(SessionTrackingMode.COOKIE);
        servletContext.setSessionTrackingModes(modes);
        session = new StandardSession(null);
        session.setId("1234", false);
        session.setValid(true);
    }
}
 
Example #14
Source File: HttpServletResponseImpl.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
/**
 * Return <code>true</code> if the specified URL should be encoded with
 * a session identifier.  This will be true if all of the following
 * conditions are met:
 * <ul>
 * <li>The request we are responding to asked for a valid session
 * <li>The requested session ID was not received via a cookie
 * <li>The specified URL points back to somewhere within the web
 * application that is responding to this request
 * </ul>
 *
 * @param location Absolute URL to be validated
 */
private boolean isEncodeable(final String location) {

    if (location == null)
        return (false);

    // Is this an intra-document reference?
    if (location.startsWith("#"))
        return (false);

    // Are we in a valid session that is not using cookies?
    final HttpServletRequestImpl hreq = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getOriginalRequest();

    // Is URL encoding permitted
    if (!originalServletContext.getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL)) {
        return false;
    }

    final HttpSession session = hreq.getSession(false);
    if (session == null) {
        return false;
    } else if(hreq.isRequestedSessionIdFromCookie()) {
        return false;
    } else if (!hreq.isRequestedSessionIdFromURL() && !session.isNew()) {
        return false;
    }

    return doIsEncodeable(hreq, session, location);
}
 
Example #15
Source File: DefaultWebApplicationTest.java    From piranha with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
/**
 * Test getEffectiveSessionTrackingModes method.
 */
@Test
public void testGetEffectiveSessionTrackingModes() {
    DefaultWebApplication webApp = new DefaultWebApplication();
    Set<SessionTrackingMode> trackingModes = EnumSet.of(SessionTrackingMode.URL);
    webApp.setSessionTrackingModes(trackingModes);
    assertTrue(webApp.getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL));
}
 
Example #16
Source File: ApplicationContext.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
/**
 * Return the supplied value if one was previously set, else return the
 * defaults.
 */
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    if (sessionTrackingModes != null) {
        return sessionTrackingModes;
    }
    return defaultSessionTrackingModes;
}
 
Example #17
Source File: ApplicationContext.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
/**
 * @throws IllegalStateException if the context has already been initialised
 * @throws IllegalArgumentException If SSL is requested in combination with
 *                                  anything else or if an unsupported
 *                                  tracking mode is requested
 */
@Override
public void setSessionTrackingModes(
        Set<SessionTrackingMode> sessionTrackingModes) {

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(
                sm.getString("applicationContext.setSessionTracking.ise",
                        getContextPath()));
    }

    // Check that only supported tracking modes have been requested
    for (SessionTrackingMode sessionTrackingMode : sessionTrackingModes) {
        if (!supportedSessionTrackingModes.contains(sessionTrackingMode)) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.invalid",
                    sessionTrackingMode.toString(), getContextPath()));
        }
    }

    // Check SSL has not be configured with anything else
    if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        if (sessionTrackingModes.size() > 1) {
            throw new IllegalArgumentException(sm.getString(
                    "applicationContext.setSessionTracking.iae.ssl",
                    getContextPath()));
        }
    }

    this.sessionTrackingModes = sessionTrackingModes;
}
 
Example #18
Source File: ServletContextImpl.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) {
    ensureNotProgramaticListener();
    ensureNotInitialized();
    if (sessionTrackingModes.size() > 1 && sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        throw UndertowServletMessages.MESSAGES.sslCannotBeCombinedWithAnyOtherMethod();
    }
    this.sessionTrackingModes = new HashSet<>(sessionTrackingModes);
    //TODO: actually make this work
}
 
Example #19
Source File: DefaultHttpSessionManager.java    From piranha with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
/**
 * Constructor.
 */
public DefaultHttpSessionManager() {
    attributeListeners = new ArrayList<>(1);
    defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.COOKIE);
    idListeners = new ArrayList<>(1);
    name = "JSESSIONID";
    sessionListeners = new ArrayList<>(1);
    sessionTimeout = 10;
    sessions = new ConcurrentHashMap<>();
}
 
Example #20
Source File: ServletContextImpl.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public void setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) {
    ensureNotProgramaticListener();
    ensureNotInitialized();
    if (sessionTrackingModes.size() > 1 && sessionTrackingModes.contains(SessionTrackingMode.SSL)) {
        throw UndertowServletMessages.MESSAGES.sslCannotBeCombinedWithAnyOtherMethod();
    }
    this.sessionTrackingModes = new HashSet<>(sessionTrackingModes);
    //TODO: actually make this work
}
 
Example #21
Source File: ApplicationContextFacade.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
@Override
@SuppressWarnings("unchecked") // doPrivileged() returns the correct type
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
    if (SecurityUtil.isPackageProtectionEnabled()) {
        return (Set<SessionTrackingMode>)
            doPrivileged("getDefaultSessionTrackingModes", null);
    } else {
        return context.getDefaultSessionTrackingModes();
    }
}
 
Example #22
Source File: SpringWebInitializer.java    From Spring-5.0-Cookbook with MIT License 5 votes vote down vote up
private void addRootContext(ServletContext container) {
  // Create the application context
  AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
  rootContext.register(SpringContextConfig.class); 
	 
  // Register application context with ContextLoaderListener
  container.addListener(new ContextLoaderListener(rootContext));
  container.addListener(new AppSessionListener());
  container.setInitParameter("contextConfigLocation", "org.packt.secured.mvc.core");
  container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting   
}
 
Example #23
Source File: NoServletContext.java    From ambari-logsearch with Apache License 2.0 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
  return null;
}
 
Example #24
Source File: MockServletContext.java    From arctic-sea with Apache License 2.0 4 votes vote down vote up
@Override
public void setSessionTrackingModes(Set<SessionTrackingMode> set) {
    throw new UnsupportedOperationException("Not supported yet.");
}
 
Example #25
Source File: NettyEmbeddedContext.java    From Jinx with Apache License 2.0 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
    return null;
}
 
Example #26
Source File: ServletContextImpl.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    ensureNotProgramaticListener();
    return Collections.unmodifiableSet(sessionTrackingModes);
}
 
Example #27
Source File: JspCServletContext.java    From Tomcat7.0.67 with Apache License 2.0 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
    return EnumSet.noneOf(SessionTrackingMode.class);
}
 
Example #28
Source File: NoServletContext.java    From ambari-logsearch with Apache License 2.0 4 votes vote down vote up
@Override
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
  return null;
}
 
Example #29
Source File: NoServletContext.java    From ambari-logsearch with Apache License 2.0 4 votes vote down vote up
@Override
public void setSessionTrackingModes(
    Set<SessionTrackingMode> sessionTrackingModes) {
}
 
Example #30
Source File: ServletContextImpl.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
public void setDefaultSessionTrackingModes(HashSet<SessionTrackingMode> sessionTrackingModes) {
    this.defaultSessionTrackingModes = sessionTrackingModes;
    this.sessionTrackingModes = sessionTrackingModes;
}