/** * Change the ID of the session that this request is associated with. There * are several things that may trigger an ID change. These include moving * between nodes in a cluster and session fixation prevention during the * authentication process. * * @param newSessionId The session to change the session ID for */ public void changeSessionId(String newSessionId) { // This should only ever be called if there was an old session ID but // double check to be sure if (requestedSessionId != null && requestedSessionId.length() > 0) { requestedSessionId = newSessionId; } if (context != null && !context.getServletContext() .getEffectiveSessionTrackingModes().contains( SessionTrackingMode.COOKIE)) { return; } if (response != null) { Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context, newSessionId, secure); response.addSessionCookieInternal(newCookie); } }
private void populateSessionTrackingModes() { // URL re-writing is always enabled by default defaultSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL); supportedSessionTrackingModes = EnumSet.of(SessionTrackingMode.URL); if (context.getCookies()) { defaultSessionTrackingModes.add(SessionTrackingMode.COOKIE); supportedSessionTrackingModes.add(SessionTrackingMode.COOKIE); } // SSL not enabled by default as it can only used on its own // Context > Host > Engine > Service Service s = ((Engine) context.getParent().getParent()).getService(); Connector[] connectors = s.findConnectors(); // Need at least one SSL enabled connector to use the SSL session ID. for (Connector connector : connectors) { if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) { supportedSessionTrackingModes.add(SessionTrackingMode.SSL); break; } } }
public void initDone() { initialized = true; Set<SessionTrackingMode> trackingMethods = sessionTrackingModes; SessionConfig sessionConfig = sessionCookieConfig; if (trackingMethods != null && !trackingMethods.isEmpty()) { if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) { sessionConfig = new SslSessionConfig(deployment.getSessionManager()); } else { if (sessionTrackingModes.contains(SessionTrackingMode.COOKIE) && sessionTrackingModes.contains(SessionTrackingMode.URL)) { sessionCookieConfig.setFallback(new PathParameterSessionConfig(sessionCookieConfig.getName().toLowerCase(Locale.ENGLISH))); } else if (sessionTrackingModes.contains(SessionTrackingMode.URL)) { sessionConfig = new PathParameterSessionConfig(sessionCookieConfig.getName().toLowerCase(Locale.ENGLISH)); } } } SessionConfigWrapper wrapper = deploymentInfo.getSessionConfigWrapper(); if (wrapper != null) { sessionConfig = wrapper.wrap(sessionConfig, deployment); } this.sessionConfig = sessionConfig; }
/** * Change the ID of the session that this request is associated with. There * are several things that may trigger an ID change. These include moving * between nodes in a cluster and session fixation prevention during the * authentication process. * * @param newSessionId * The session to change the session ID for */ public void changeSessionId(String newSessionId) { // This should only ever be called if there was an old session ID but // double check to be sure if (requestedSessionId != null && requestedSessionId.length() > 0) { requestedSessionId = newSessionId; } if (context != null && !context.getServletContext().getEffectiveSessionTrackingModes() .contains(SessionTrackingMode.COOKIE)) { return; } if (response != null) { Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context, newSessionId, secure); response.addSessionCookieInternal(newCookie); } }
@Override public void onStartup(ServletContext servletContext) throws ServletException { this.servletContext = servletContext; servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE)); servletContext.addListener(new WelcomeContainerBootstrap()); servletContext.addListener(new CockpitContainerBootstrap()); servletContext.addListener(new AdminContainerBootstrap()); servletContext.addListener(new TasklistContainerBootstrap()); registerFilter("Authentication Filter", AuthenticationFilter.class, "/*"); registerFilter("Security Filter", LazySecurityFilter.class, singletonMap("configFile", properties.getWebapp().getSecurityConfigFile()), "/*"); registerFilter("Engines Filter", LazyProcessEnginesFilter.class, "/app/*"); registerFilter("CacheControlFilter", CacheControlFilter.class, "/api/*"); registerServlet("Cockpit Api", CockpitApplication.class, "/api/cockpit/*"); registerServlet("Admin Api", AdminApplication.class, "/api/admin/*"); registerServlet("Tasklist Api", TasklistApplication.class, "/api/tasklist/*"); registerServlet("Engine Api", EngineRestApplication.class, "/api/engine/*"); }
public static void initialize(ServletContext servletContext, boolean dev) throws ServletException { FacesInitializer facesInitializer = new FacesInitializer(); servletContext.setInitParameter("primefaces.FONT_AWESOME", "true"); servletContext.setInitParameter("javax.faces.FACELETS_SKIP_COMMENTS", "true"); if (dev) { servletContext.setInitParameter("javax.faces.FACELETS_REFRESH_PERIOD", "0"); servletContext.setInitParameter("javax.faces.PROJECT_STAGE", "Development"); } else { servletContext.setInitParameter("javax.faces.FACELETS_REFRESH_PERIOD", "-1"); servletContext.setInitParameter("javax.faces.PROJECT_STAGE", "Production"); } servletContext.setSessionTrackingModes(ImmutableSet.of(SessionTrackingMode.COOKIE)); Set<Class<?>> clazz = new HashSet<Class<?>>(); clazz.add(WebXmlSpringBoot.class); facesInitializer.onStartup(clazz, servletContext); Dynamic startBrowserServlet = servletContext.addServlet("StartBrowserServlet", StartBrowserServlet.class); startBrowserServlet.setLoadOnStartup(2); }
@Test public void shouldSetSessionTrackingModeToCookieOnly() throws Exception { Server server = new Server(1234); WebAppContext webAppContext = new WebAppContext(); webAppContext.setWar(webapp.getAbsolutePath()); webAppContext.setContextPath("/"); server.setHandler(webAppContext); try { server.start(); Set<SessionTrackingMode> effectiveSessionTrackingModes = ((WebAppContext) server.getHandlers()[0]).getServletContext().getEffectiveSessionTrackingModes(); assertThat(effectiveSessionTrackingModes.size(), is(1)); assertThat(effectiveSessionTrackingModes.contains(SessionTrackingMode.COOKIE), is(true)); } finally { server.stop(); } }
/** * Change the ID of the session that this request is associated with. There * are several things that may trigger an ID change. These include moving * between nodes in a cluster and session fixation prevention during the * authentication process. * * @param newSessionId The session to change the session ID for */ public void changeSessionId(String newSessionId) { // This should only ever be called if there was an old session ID but // double check to be sure if (requestedSessionId != null && requestedSessionId.length() > 0) { requestedSessionId = newSessionId; } if (context != null && !context.getServletContext() .getEffectiveSessionTrackingModes().contains( SessionTrackingMode.COOKIE)) return; if (response != null) { Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context, newSessionId, secure); response.addSessionCookieInternal(newCookie); } }
public SessionManager build() throws IOException { HashSessionManager manager = new HashSessionManager(); manager.setSessionTrackingModes(ImmutableSet.of(SessionTrackingMode.COOKIE)); manager.setHttpOnly(true); manager.getSessionCookieConfig().setHttpOnly(true); manager.setDeleteUnrestorableSessions(true); manager.setStoreDirectory(new File(getPath())); manager.getSessionCookieConfig().setMaxAge((int) cookieMaxAge.toSeconds()); manager.setRefreshCookieAge((int) cookieRefreshAge.toSeconds()); manager.setMaxInactiveInterval((int) maxInactiveInterval.toSeconds()); manager.setIdleSavePeriod((int) idleSavePeriod.toSeconds()); manager.setSavePeriod((int) savePeriod.toSeconds()); manager.setScavengePeriod((int) scavengePeriod.toSeconds()); return manager; }
private void addRootContext(ServletContext container) { // Create the application context AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext(); rootContext.register(SpringContextConfig.class); // Register application context with ContextLoaderListener container.addListener(new ContextLoaderListener(rootContext)); container.addListener(new AppSessionListener()); container.setInitParameter("contextConfigLocation", "org.packt.secured.mvc.core"); container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting }
private void addRootContext(ServletContext container) { // Create the application context AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext(); rootContext.register(SpringContextConfig.class); // Register application context with ContextLoaderListener container.addListener(new ContextLoaderListener(rootContext)); container.setInitParameter("contextConfigLocation", "org.packt.web.reactor.security.config"); container.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE)); // if URL, enable sessionManagement URL rewriting }
@Override @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Set<SessionTrackingMode> getDefaultSessionTrackingModes() { if (SecurityUtil.isPackageProtectionEnabled()) { return (Set<SessionTrackingMode>) doPrivileged("getDefaultSessionTrackingModes", null); } else { return context.getDefaultSessionTrackingModes(); } }
@Override @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() { if (SecurityUtil.isPackageProtectionEnabled()) { return (Set<SessionTrackingMode>) doPrivileged("getEffectiveSessionTrackingModes", null); } else { return context.getEffectiveSessionTrackingModes(); } }
@Override public void setSessionTrackingModes( Set<SessionTrackingMode> sessionTrackingModes) { if (SecurityUtil.isPackageProtectionEnabled()) { doPrivileged("setSessionTrackingModes", new Object[]{sessionTrackingModes}); } else { context.setSessionTrackingModes(sessionTrackingModes); } }
/** * Return the supplied value if one was previously set, else return the * defaults. */ @Override public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() { if (sessionTrackingModes != null) { return sessionTrackingModes; } return defaultSessionTrackingModes; }
/** * @throws IllegalStateException if the context has already been initialised * @throws IllegalArgumentException If SSL is requested in combination with * anything else or if an unsupported * tracking mode is requested */ @Override public void setSessionTrackingModes( Set<SessionTrackingMode> sessionTrackingModes) { if (!context.getState().equals(LifecycleState.STARTING_PREP)) { throw new IllegalStateException( sm.getString("applicationContext.setSessionTracking.ise", getContextPath())); } // Check that only supported tracking modes have been requested for (SessionTrackingMode sessionTrackingMode : sessionTrackingModes) { if (!supportedSessionTrackingModes.contains(sessionTrackingMode)) { throw new IllegalArgumentException(sm.getString( "applicationContext.setSessionTracking.iae.invalid", sessionTrackingMode.toString(), getContextPath())); } } // Check SSL has not be configured with anything else if (sessionTrackingModes.contains(SessionTrackingMode.SSL)) { if (sessionTrackingModes.size() > 1) { throw new IllegalArgumentException(sm.getString( "applicationContext.setSessionTracking.iae.ssl", getContextPath())); } } this.sessionTrackingModes = sessionTrackingModes; }
public TesterRequest(boolean withSession) { context = new TesterContext(); servletContext = new TesterServletContext(); context.setServletContext(servletContext); if (withSession) { Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>(); modes.add(SessionTrackingMode.URL); modes.add(SessionTrackingMode.COOKIE); servletContext.setSessionTrackingModes(modes); session = new StandardSession(null); session.setId("1234", false); session.setValid(true); } }
@Override public void setSessionTrackingModes(final Set<SessionTrackingMode> sessionTrackingModes) { ensureNotProgramaticListener(); ensureNotInitialized(); if (sessionTrackingModes.size() > 1 && sessionTrackingModes.contains(SessionTrackingMode.SSL)) { throw UndertowServletMessages.MESSAGES.sslCannotBeCombinedWithAnyOtherMethod(); } this.sessionTrackingModes = new HashSet<>(sessionTrackingModes); //TODO: actually make this work }
/** * Return <code>true</code> if the specified URL should be encoded with * a session identifier. This will be true if all of the following * conditions are met: * <ul> * <li>The request we are responding to asked for a valid session * <li>The requested session ID was not received via a cookie * <li>The specified URL points back to somewhere within the web * application that is responding to this request * </ul> * * @param location Absolute URL to be validated */ private boolean isEncodeable(final String location) { if (location == null) return (false); // Is this an intra-document reference? if (location.startsWith("#")) return (false); // Are we in a valid session that is not using cookies? final HttpServletRequestImpl hreq = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getOriginalRequest(); // Is URL encoding permitted if (!originalServletContext.getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL)) { return false; } final HttpSession session = hreq.getSession(false); if (session == null) { return false; } else if (!hreq.isRequestedSessionIdFromURL() && !session.isNew()) { return false; } return doIsEncodeable(hreq, session, location); }
@Override public Set<SessionTrackingMode> getDefaultSessionTrackingModes() { if (_sessionHandler!=null) return _sessionHandler.getSessionManager().getDefaultSessionTrackingModes(); return null; }
@Override public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() { if (_sessionHandler!=null) return _sessionHandler.getSessionManager().getEffectiveSessionTrackingModes(); return null; }
@Override public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) { if (!isStarting()) throw new IllegalStateException(); if (!_enabled) throw new UnsupportedOperationException(); if (_sessionHandler!=null) _sessionHandler.getSessionManager().setSessionTrackingModes(sessionTrackingModes); }
/** * Return <code>true</code> if the specified URL should be encoded with a * session identifier. This will be true if all of the following conditions * are met: * <ul> * <li>The request we are responding to asked for a valid session * <li>The requested session ID was not received via a cookie * <li>The specified URL points back to somewhere within the web application * that is responding to this request * </ul> * * @param location * Absolute URL to be validated */ protected boolean isEncodeable(final String location) { if (location == null) { return (false); } // Is this an intra-document reference? if (location.startsWith("#")) { return (false); } // Are we in a valid session that is not using cookies? final Request hreq = request; final Session session = hreq.getSessionInternal(false); if (session == null) { return (false); } if (hreq.isRequestedSessionIdFromCookie()) { return (false); } // Is URL encoding permitted if (!hreq.getServletContext().getEffectiveSessionTrackingModes().contains(SessionTrackingMode.URL)) { return false; } if (SecurityUtil.isPackageProtectionEnabled()) { return (AccessController.doPrivileged(new PrivilegedAction<Boolean>() { @Override public Boolean run() { return Boolean.valueOf(doIsEncodeable(hreq, session, location)); } })).booleanValue(); } else { return doIsEncodeable(hreq, session, location); } }
@Override public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) { if (SecurityUtil.isPackageProtectionEnabled()) { doPrivileged("setSessionTrackingModes", new Object[] { sessionTrackingModes }); } else { context.setSessionTrackingModes(sessionTrackingModes); } }
