io.undertow.servlet.spec.HttpSessionImpl Java Examples

The following examples show how to use io.undertow.servlet.spec.HttpSessionImpl. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ServletFormAuthenticationMechanism.java    From quarkus-http with Apache License 2.0 6 votes vote down vote up
/**
 * This method doesn't save content of request but instead uses data from parameter.
 * This should be used in case that data from request was already read and therefore it is not possible to save them.
 *
 * @param exchange
 * @param bytes
 * @param contentLength
 */
protected void storeInitialLocation(final HttpServerExchange exchange, byte[] bytes, int contentLength) {
    if(!saveOriginalRequest) {
        return;
    }
    final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
    Session session;
    if (System.getSecurityManager() == null) {
        session = httpSession.getSession();
    } else {
        session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
    }
    SessionManager manager = session.getSessionManager();
    if (seenSessionManagers.add(manager)) {
        manager.registerSessionListener(LISTENER);
    }
    session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
    if(bytes == null) {
        SavedRequest.trySaveRequest(exchange);
    } else {
        SavedRequest.trySaveRequest(exchange, bytes, contentLength);
    }
}
 
Example #2
Source File: SavedRequest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public static void tryRestoreRequest(final HttpServerExchange exchange, HttpSession session) {
    if(session instanceof HttpSessionImpl) {

        Session underlyingSession;
        if(System.getSecurityManager() == null) {
            underlyingSession = ((HttpSessionImpl) session).getSession();
        } else {
            underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
        }
        io.undertow.servlet.util.SavedRequest request = (io.undertow.servlet.util.SavedRequest) underlyingSession.removeAttribute(SESSION_KEY);
        if (request != null) {
            underlyingSession.setAttribute(io.undertow.servlet.util.SavedRequest.class.getName(), request);
            io.undertow.servlet.util.SavedRequest.tryRestoreRequest(exchange, session);

        }

     }
}
 
Example #3
Source File: ChangeSessionId.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public static String changeSessionId(HttpServerExchange exchange, boolean create) {
    final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    ServletContextImpl currentServletContext = sc.getCurrentServletContext();
    HttpSessionImpl session = currentServletContext.getSession(exchange, create);
    if (session == null) {
        return null;
    }
    Session underlyingSession;
    if(System.getSecurityManager() == null) {
        underlyingSession = session.getSession();
    } else {
        underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
    }


    return underlyingSession.changeSessionId(exchange, currentServletContext.getSessionConfig());
}
 
Example #4
Source File: SessionListenerBridge.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void attributeUpdated(final Session session, final String name, final Object value, final Object old) {
    if (name.startsWith(IO_UNDERTOW)) {
        return;
    }
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    if (old != value) {
        if (old instanceof HttpSessionBindingListener) {
            ((HttpSessionBindingListener) old).valueUnbound(new HttpSessionBindingEvent(httpSession, name, old));
        }
        applicationListeners.httpSessionAttributeReplaced(httpSession, name, old);
    }
    if (value instanceof HttpSessionBindingListener) {
        ((HttpSessionBindingListener) value).valueBound(new HttpSessionBindingEvent(httpSession, name, value));
    }
}
 
Example #5
Source File: ServletFormAuthenticationMechanism.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
protected void handleRedirectBack(final HttpServerExchange exchange) {
    final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpServletResponse resp = (HttpServletResponse) servletRequestContext.getServletResponse();
    HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, false);
    if (httpSession != null) {
        Session session;
        if (System.getSecurityManager() == null) {
            session = httpSession.getSession();
        } else {
            session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
        }
        String path = (String) session.getAttribute(SESSION_KEY);
        if (path != null) {
            try {
                resp.sendRedirect(path);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }

}
 
Example #6
Source File: ServletFormAuthenticationMechanism.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * This method doesn't save content of request but instead uses data from parameter.
 * This should be used in case that data from request was already read and therefore it is not possible to save them.
 *
 * @param exchange
 * @param bytes
 * @param contentLength
 */
protected void storeInitialLocation(final HttpServerExchange exchange, byte[] bytes, int contentLength) {
    if(!saveOriginalRequest) {
        return;
    }
    final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
    Session session;
    if (System.getSecurityManager() == null) {
        session = httpSession.getSession();
    } else {
        session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
    }
    SessionManager manager = session.getSessionManager();
    if (seenSessionManagers.add(manager)) {
        manager.registerSessionListener(LISTENER);
    }
    session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
    if(bytes == null) {
        SavedRequest.trySaveRequest(exchange);
    } else {
        SavedRequest.trySaveRequest(exchange, bytes, contentLength);
    }
}
 
Example #7
Source File: JsrWebSocketFilter.java    From quarkus-http with Apache License 2.0 6 votes vote down vote up
@Override
public void sessionDestroyed(HttpSessionEvent se) {
    HttpSessionImpl session = (HttpSessionImpl) se.getSession();
    final Session underlying;
    if (System.getSecurityManager() == null) {
        underlying = session.getSession();
    } else {
        underlying = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
    }
    List<UndertowSession> connections = (List<UndertowSession>) underlying.getAttribute(SESSION_ATTRIBUTE);
    if (connections != null) {
        synchronized (underlying) {
            for (UndertowSession c : connections) {
                try {
                    c.close(new CloseReason(CloseReason.CloseCodes.VIOLATED_POLICY, ""));
                } catch (IOException e) {
                    UndertowLogger.REQUEST_IO_LOGGER.ioException(e);
                }
            }
        }
    }
}
 
Example #8
Source File: SessionListenerBridge.java    From quarkus-http with Apache License 2.0 6 votes vote down vote up
@Override
public void attributeUpdated(final Session session, final String name, final Object value, final Object old) {
    if (name.startsWith(IO_UNDERTOW)) {
        return;
    }
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    if (old != value) {
        if (old instanceof HttpSessionBindingListener) {
            ((HttpSessionBindingListener) old).valueUnbound(new HttpSessionBindingEvent(httpSession, name, old));
        }
        applicationListeners.httpSessionAttributeReplaced(httpSession, name, old);
    }
    if (value instanceof HttpSessionBindingListener) {
        ((HttpSessionBindingListener) value).valueBound(new HttpSessionBindingEvent(httpSession, name, value));
    }
}
 
Example #9
Source File: ServletFormAuthenticationMechanism.java    From quarkus-http with Apache License 2.0 6 votes vote down vote up
@Override
protected void handleRedirectBack(final HttpServerExchange exchange) {
    final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpServletResponse resp = (HttpServletResponse) servletRequestContext.getServletResponse();
    HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, false);
    if (httpSession != null) {
        Session session;
        if (System.getSecurityManager() == null) {
            session = httpSession.getSession();
        } else {
            session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
        }
        String path = (String) session.getAttribute(SESSION_KEY);
        if (path != null) {
            try {
                resp.sendRedirect(path);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }

}
 
Example #10
Source File: SessionRestoringHandler.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
    final String incomingSessionId = servletContext.getSessionConfig().findSessionId(exchange);
    if (incomingSessionId == null || !data.containsKey(incomingSessionId)) {
        next.handleRequest(exchange);
        return;
    }

    //we have some old data
    PersistentSession result = data.remove(incomingSessionId);
    if (result != null) {
        long time = System.currentTimeMillis();
        if (time < result.getExpiration().getTime()) {
            final HttpSessionImpl session = servletContext.getSession(exchange, true);
            final HttpSessionEvent event = new HttpSessionEvent(session);
            for (Map.Entry<String, Object> entry : result.getSessionData().entrySet()) {

                if (entry.getValue() instanceof HttpSessionActivationListener) {
                    ((HttpSessionActivationListener) entry.getValue()).sessionDidActivate(event);
                }
                if(entry.getKey().startsWith(HttpSessionImpl.IO_UNDERTOW)) {
                    session.getSession().setAttribute(entry.getKey(), entry.getValue());
                } else {
                    session.setAttribute(entry.getKey(), entry.getValue());
                }
            }
        }
    }
    next.handleRequest(exchange);
}
 
Example #11
Source File: ServletSamlSessionStore.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void saveRequest() {
    SavedRequest.trySaveRequest(exchange);
    final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
    KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI())
            .replaceQuery(exchange.getQueryString());
    if (!exchange.isHostIncludedInRequestURI()) uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort());
    String uri = uriBuilder.build().toString();

    session.setAttribute(SAML_REDIRECT_URI, uri);

}
 
Example #12
Source File: ServletSamlSessionStore.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public String getRedirectUri() {
    final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
    String redirect = (String)session.getAttribute(SAML_REDIRECT_URI);
    if (redirect == null) {
        ServletHttpFacade facade = new ServletHttpFacade(exchange);
        HttpServletRequest req = (HttpServletRequest)sc.getServletRequest();
        String contextPath = req.getContextPath();
        String baseUri = KeycloakUriBuilder.fromUri(req.getRequestURL().toString()).replacePath(contextPath).build().toString();
        return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
    }
    return redirect;
}
 
Example #13
Source File: ServletSingleSignOnAuthenticationMechanism.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
protected Session getSession(HttpServerExchange exchange) {
    ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    final HttpSessionImpl session = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
    if(System.getSecurityManager() == null) {
        return session.getSession();
    } else {
        return AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
    }
}
 
Example #14
Source File: SavedRequest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static void trySaveRequest(final HttpServerExchange exchange) {
    io.undertow.servlet.util.SavedRequest.trySaveRequest(exchange);
    final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
    Session underlyingSession;
    if(System.getSecurityManager() == null) {
        underlyingSession = session.getSession();
    } else {
        underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
    }
    io.undertow.servlet.util.SavedRequest request = (io.undertow.servlet.util.SavedRequest) underlyingSession.removeAttribute(io.undertow.servlet.util.SavedRequest.class.getName());
    if (request != null) underlyingSession.setAttribute(SESSION_KEY, request);


}
 
Example #15
Source File: SsoHandler.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
    * Notifies authentication mechanism where it should redirect after log in. Based on
    * ServletFormAuthenticationMechanism method.
    */
   private static void handleRedirectBack(ServletRequestContext context, String redirectURL) {
/*
 * Prevent HTTP Response Splitting attack by sanitizing redirectURL.
 * The attack was possible by changing action of login form to, for example,
 * "j_security_check?redirectURL=%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever"
 * Putting it in redirectURL form field or using another GET parameter ("something", "j_username") did not work.
 * The result was a split HTTP response with AppScanHeader and SecondAppScanHeader set, resultint in a security
 * threat.
 */
if (redirectURL.contains("\n") || redirectURL.contains("\r")) {
    throw new SecurityException(
	    "redirectURL contains forbidden characters: \\n or \\r. Possible HTTP Response Splitting attack.");
}

HttpSessionImpl httpSession = context.getCurrentServletContext().getSession(context.getExchange(), true);
if (httpSession != null) {
    Session session;
    if (System.getSecurityManager() == null) {
	session = httpSession.getSession();
    } else {
	session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
    }

    session.setAttribute(SsoHandler.REDIRECT_KEY, redirectURL);
}
   }
 
Example #16
Source File: SecurityActions.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
static HttpSessionImpl forSession(final Session session, final ServletContext servletContext, final boolean newSession) {
    if (System.getSecurityManager() == null) {
        return HttpSessionImpl.forSession(session, servletContext, newSession);
    } else {
        return AccessController.doPrivileged(new PrivilegedAction<HttpSessionImpl>() {
            @Override
            public HttpSessionImpl run() {
                return HttpSessionImpl.forSession(session, servletContext, newSession);
            }
        });
    }
}
 
Example #17
Source File: SessionListenerBridge.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void attributeRemoved(final Session session, final String name, final Object old) {
    if (name.startsWith(IO_UNDERTOW)) {
        return;
    }
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    if (old != null) {
        applicationListeners.httpSessionAttributeRemoved(httpSession, name, old);
        if (old instanceof HttpSessionBindingListener) {
            ((HttpSessionBindingListener) old).valueUnbound(new HttpSessionBindingEvent(httpSession, name, old));
        }
    }
}
 
Example #18
Source File: CachedAuthenticatedSessionHandler.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
protected Session underlyingSession(HttpSessionImpl httpSession) {
    Session session;
    if (System.getSecurityManager() == null) {
        session = httpSession.getSession();
    } else {
        session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
    }
    return session;
}
 
Example #19
Source File: SessionListenerBridge.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void attributeAdded(final Session session, final String name, final Object value) {
    if (name.startsWith(IO_UNDERTOW)) {
        return;
    }
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    applicationListeners.httpSessionAttributeAdded(httpSession, name, value);
    if (value instanceof HttpSessionBindingListener) {
        ((HttpSessionBindingListener) value).valueBound(new HttpSessionBindingEvent(httpSession, name, value));
    }
}
 
Example #20
Source File: SessionListenerBridge.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
private void doDestroy(Session session) {
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    applicationListeners.sessionDestroyed(httpSession);
    //we make a defensive copy here, as there is no guarantee that the underlying session map
    //is a concurrent map, and as a result a concurrent modification exception may be thrown
    HashSet<String> names = new HashSet<>(session.getAttributeNames());
    for (String attribute : names) {
        session.removeAttribute(attribute);
    }
}
 
Example #21
Source File: SessionListenerBridge.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void sessionDestroyed(final Session session, final HttpServerExchange exchange, final SessionDestroyedReason reason) {

    if (reason == SessionDestroyedReason.TIMEOUT) {
        try {
            //we need to perform thread setup actions
            destroyedAction.call(exchange, session);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    } else {
        doDestroy(session);
    }

    ServletRequestContext current = SecurityActions.currentServletRequestContext();
    Session underlying = null;
    if (current != null && current.getSession() != null) {
        if (System.getSecurityManager() == null) {
            underlying = current.getSession().getSession();
        } else {
            underlying = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(current.getSession()));
        }
    }

    if (current != null && underlying == session) {
        current.setSession(null);
    }
}
 
Example #22
Source File: SavedRequest.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
public static void trySaveRequest(final HttpServerExchange exchange, final byte[] buffer, int length) {
    int maxSize = exchange.getConnection().getUndertowOptions().get(UndertowOptions.MAX_BUFFERED_REQUEST_SIZE, UndertowOptions.DEFAULT_MAX_BUFFERED_REQUEST_SIZE);
    if (maxSize > 0) {
        if (length > maxSize) {
            UndertowLogger.REQUEST_LOGGER.debugf("Request to %s was to large to save", exchange.getRequestURI());
            return;//failed to save the request, we just return
        }
        //TODO: we should really be used pooled buffers
        //TODO: we should probably limit the number of saved requests at any given time
        HeaderMap headers = new HeaderMap();
        for (HeaderValues entry : exchange.getRequestHeaders()) {
            if (entry.getHeaderName().equals(Headers.CONTENT_LENGTH) ||
                    entry.getHeaderName().equals(Headers.TRANSFER_ENCODING) ||
                    entry.getHeaderName().equals(Headers.CONNECTION)) {
                continue;
            }
            headers.putAll(entry.getHeaderName(), entry);
        }
        SavedRequest request = new SavedRequest(buffer, length, exchange.getRequestMethod(), exchange.getRelativePath(), exchange.getRequestHeaders());
        final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
        Session underlyingSession;
        if (System.getSecurityManager() == null) {
            underlyingSession = session.getSession();
        } else {
            underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
        }
        underlyingSession.setAttribute(SESSION_KEY, request);
    }
}
 
Example #23
Source File: SecurityActions.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
static HttpSessionImpl forSession(final Session session, final ServletContext servletContext, final boolean newSession) {
    if (System.getSecurityManager() == null) {
        return HttpSessionImpl.forSession(session, servletContext, newSession);
    } else {
        return AccessController.doPrivileged(new PrivilegedAction<HttpSessionImpl>() {
            @Override
            public HttpSessionImpl run() {
                return HttpSessionImpl.forSession(session, servletContext, newSession);
            }
        });
    }
}
 
Example #24
Source File: CachedAuthenticatedSessionHandler.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public void clearSession(HttpServerExchange exchange) {
    HttpSessionImpl httpSession = servletContext.getSession(exchange, false);
    if (httpSession != null) {
        Session session = underlyingSession(httpSession);
        session.removeAttribute(ATTRIBUTE_NAME);
    }
}
 
Example #25
Source File: CachedAuthenticatedSessionHandler.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
protected Session underlyingSession(HttpSessionImpl httpSession) {
    Session session;
    if (System.getSecurityManager() == null) {
        session = httpSession.getSession();
    } else {
        session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
    }
    return session;
}
 
Example #26
Source File: SecurityActions.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
static HttpSessionImpl forSession(final Session session, final ServletContext servletContext, final boolean newSession) {
    if (System.getSecurityManager() == null) {
        return HttpSessionImpl.forSession(session, servletContext, newSession);
    } else {
        return AccessController.doPrivileged(new PrivilegedAction<HttpSessionImpl>() {
            @Override
            public HttpSessionImpl run() {
                return HttpSessionImpl.forSession(session, servletContext, newSession);
            }
        });
    }
}
 
Example #27
Source File: SavedRequest.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
public static void trySaveRequest(final HttpServerExchange exchange, final byte[] buffer, int length) {
    int maxSize = exchange.getUndertowOptions().get(UndertowOptions.MAX_BUFFERED_REQUEST_SIZE, UndertowOptions.DEFAULT_MAX_BUFFERED_REQUEST_SIZE);
    if (maxSize > 0) {
        if (length > maxSize) {
            UndertowLogger.REQUEST_LOGGER.debugf("Request to %s was to large to save", exchange.getRequestURI());
            return;//failed to save the request, we just return
        }
        //TODO: we should really be used pooled buffers
        //TODO: we should probably limit the number of saved requests at any given time
        HttpHeaders headers = new DefaultHttpHeaders();
        for (String entry : exchange.getRequestHeaderNames()) {
            if (entry.equals(HttpHeaderNames.CONTENT_LENGTH) ||
                    entry.equals(HttpHeaderNames.TRANSFER_ENCODING) ||
                    entry.equals(HttpHeaderNames.CONNECTION)) {
                continue;
            }
            headers.set(entry, exchange.getRequestHeaders(entry));
        }
        SavedRequest request = new SavedRequest(buffer, length, exchange.getRequestMethod(), exchange.getRelativePath(), headers);
        final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
        Session underlyingSession;
        if (System.getSecurityManager() == null) {
            underlyingSession = session.getSession();
        } else {
            underlyingSession = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(session));
        }
        underlyingSession.setAttribute(SESSION_KEY, request);
    }
}
 
Example #28
Source File: SessionListenerBridge.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public void sessionDestroyed(final Session session, final HttpServerExchange exchange, final SessionDestroyedReason reason) {

    if (reason == SessionDestroyedReason.TIMEOUT) {
        try {
            //we need to perform thread setup actions
            destroyedAction.call(exchange, session);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    } else {
        doDestroy(session);
    }

    ServletRequestContext current = SecurityActions.currentServletRequestContext();
    Session underlying = null;
    if (current != null && current.getSession() != null) {
        if (System.getSecurityManager() == null) {
            underlying = current.getSession().getSession();
        } else {
            underlying = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(current.getSession()));
        }
    }

    if (current != null && underlying == session) {
        current.setSession(null);
    }
}
 
Example #29
Source File: SessionListenerBridge.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
private void doDestroy(Session session) {
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    applicationListeners.sessionDestroyed(httpSession);
    //we make a defensive copy here, as there is no guarantee that the underlying session map
    //is a concurrent map, and as a result a concurrent modification exception may be thrown
    HashSet<String> names = new HashSet<>(session.getAttributeNames());
    for (String attribute : names) {
        session.removeAttribute(attribute);
    }
}
 
Example #30
Source File: SessionListenerBridge.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public void attributeAdded(final Session session, final String name, final Object value) {
    if (name.startsWith(IO_UNDERTOW)) {
        return;
    }
    final HttpSessionImpl httpSession = SecurityActions.forSession(session, servletContext, false);
    applicationListeners.httpSessionAttributeAdded(httpSession, name, value);
    if (value instanceof HttpSessionBindingListener) {
        ((HttpSessionBindingListener) value).valueBound(new HttpSessionBindingEvent(httpSession, name, value));
    }
}