import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.ServiceLoader;
* @since 7.0
*/
public abstract class VaadinService implements Serializable {
+ private static final String REINITIALIZING_SESSION_MARKER = VaadinService.class
+ .getName() + ".reinitializing";
+
private static final Method SESSION_INIT_METHOD = ReflectTools.findMethod(
SessionInitListener.class, "sessionInit", SessionInitEvent.class);
}
public void fireSessionDestroy(VaadinServiceSession vaadinSession) {
+ // Ignore if the session is being moved to a different backing session
+ if (vaadinSession.getAttribute(REINITIALIZING_SESSION_MARKER) == Boolean.TRUE) {
+ return;
+ }
+
for (UI ui : new ArrayList<UI>(vaadinSession.getUIs())) {
vaadinSession.cleanupUI(ui);
}
public boolean preserveUIOnRefresh(UIProvider provider, UICreateEvent event) {
return provider.isPreservedOnRefresh(event);
}
+
+ /**
+ * Discards the current session and creates a new session with the same
+ * contents. The purpose of this is to introduce a new session key in order
+ * to avoid session fixation attacks.
+ * <p>
+ * Please note that this method makes certain assumptions about how data is
+ * stored in the underlying session and may thus not be compatible with some
+ * environments.
+ *
+ * @param request
+ * The Vaadin request for which the session should be
+ * reinitialized
+ */
+ public static void reinitializeSession(VaadinRequest request) {
+ WrappedSession oldSession = request.getWrappedSession();
+
+ // Stores all attributes (security key, reference to this context
+ // instance) so they can be added to the new session
+ HashMap<String, Object> attrs = new HashMap<String, Object>();
+ for (String name : oldSession.getAttributeNames()) {
+ Object value = oldSession.getAttribute(name);
+ if (value instanceof VaadinServiceSession) {
+ // set flag to avoid cleanup
+ VaadinServiceSession serviceSession = (VaadinServiceSession) value;
+ serviceSession.setAttribute(REINITIALIZING_SESSION_MARKER,
+ Boolean.TRUE);
+ }
+ attrs.put(name, value);
+ }
+
+ // Invalidate the current session
+ oldSession.invalidate();
+
+ // Create a new session
+ WrappedSession newSession = request.getWrappedSession();
+
+ // Restores all attributes (security key, reference to this context
+ // instance)
+ for (String name : attrs.keySet()) {
+ Object value = attrs.get(name);
+ newSession.setAttribute(name, value);
+
+ // Ensure VaadinServiceSession knows where it's stored
+ if (value instanceof VaadinServiceSession) {
+ VaadinServiceSession serviceSession = (VaadinServiceSession) value;
+ serviceSession.storeInSession(serviceSession.getService(),
+ newSession);
+ serviceSession
+ .setAttribute(REINITIALIZING_SESSION_MARKER, null);
+ }
+ }
+
+ }
}
// closing
// Notify the service
service.fireSessionDestroy(this);
+ session = null;
}
/**
package com.vaadin.server;
-import java.util.Enumeration;
-import java.util.HashMap;
-
-import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
-import javax.servlet.http.HttpSessionBindingEvent;
import javax.servlet.http.HttpSessionBindingListener;
/**
@SuppressWarnings("serial")
public class VaadinServletSession extends VaadinServiceSession {
- private transient boolean reinitializingSession = false;
-
/**
* Create a servlet service session for the given servlet service
*
super(service);
}
- @Override
- public void valueUnbound(HttpSessionBindingEvent event) {
- if (!reinitializingSession) {
- // Avoid closing the application if we are only reinitializing the
- // session. Closing the application would cause the state to be lost
- // and a new application to be created, which is not what we want.
- super.valueUnbound(event);
- }
- }
-
- /**
- * Discards the current session and creates a new session with the same
- * contents. The purpose of this is to introduce a new session key in order
- * to avoid session fixation attacks.
- */
- public void reinitializeSession() {
- HttpServletRequest currentRequest = VaadinServletService
- .getCurrentServletRequest();
- if (currentRequest == null) {
- throw new IllegalStateException(
- "Can not reinitialize session outside normal request handling.");
- }
-
- HttpSession oldSession = getHttpSession();
-
- // Stores all attributes (security key, reference to this context
- // instance) so they can be added to the new session
- HashMap<String, Object> attrs = new HashMap<String, Object>();
- for (Enumeration<String> e = oldSession.getAttributeNames(); e
- .hasMoreElements();) {
- String name = e.nextElement();
- attrs.put(name, oldSession.getAttribute(name));
- }
-
- // Invalidate the current session, set flag to avoid call to
- // valueUnbound
- reinitializingSession = true;
- oldSession.invalidate();
- reinitializingSession = false;
-
- // Create a new session
- HttpSession newSession = currentRequest.getSession();
-
- // Restores all attributes (security key, reference to this context
- // instance)
- for (String name : attrs.keySet()) {
- newSession.setAttribute(name, attrs.get(name));
- }
-
- // Update the "current session" variable
- storeInSession(VaadinService.getCurrent(), new WrappedHttpSession(
- newSession));
- }
-
/**
* Gets the http-session application is running in.
*
package com.vaadin.server;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
+
import javax.servlet.http.HttpSession;
/**
return session;
}
+ @Override
+ public Set<String> getAttributeNames() {
+ Enumeration<String> attributeNames = session.getAttributeNames();
+ return enumerationToSet(attributeNames);
+ }
+
+ // Helper shared with WrappedPortletSession
+ static <T> Set<T> enumerationToSet(Enumeration<T> values) {
+ HashSet<T> set = new HashSet<T>();
+ while (values.hasMoreElements()) {
+ set.add(values.nextElement());
+ }
+ return Collections.unmodifiableSet(set);
+ }
+
+ @Override
+ public void invalidate() {
+ session.invalidate();
+ }
+
}
package com.vaadin.server;
+import java.util.Set;
+
import javax.portlet.PortletSession;
/**
public PortletSession getPortletSession() {
return session;
}
+
+ @Override
+ public Set<String> getAttributeNames() {
+ return WrappedHttpSession.enumerationToSet(session.getAttributeNames());
+ }
+
+ @Override
+ public void invalidate() {
+ session.invalidate();
+ }
}
package com.vaadin.server;
+import java.util.Set;
+
import javax.portlet.PortletSession;
import javax.servlet.http.HttpSession;
* @see javax.portlet.PortletSession#setAttribute(String, Object)
*/
public void setAttribute(String name, Object value);
+
+ /**
+ * Gets the current set of attribute names stored in this session.
+ *
+ * @return an unmodifiable set of the current attribute names
+ *
+ * @see HttpSession#getAttributeNames()
+ * @see PortletSession#getAttributeNames()
+ */
+ public Set<String> getAttributeNames();
+
+ /**
+ * Invalidates this session then unbinds any objects bound to it.
+ *
+ * @see HttpSession#invalidate()
+ * @see PortletSession#invalidate()
+ */
+ public void invalidate();
}
package com.vaadin.tests.applicationcontext;
+import com.vaadin.server.VaadinService;
import com.vaadin.server.VaadinServletSession;
import com.vaadin.tests.components.AbstractTestCase;
import com.vaadin.tests.util.Log;
VaadinServletSession context = ((VaadinServletSession) getContext());
String oldSessionId = context.getHttpSession().getId();
- context.reinitializeSession();
+ context.getService().reinitializeSession(
+ VaadinService.getCurrentRequest());
String newSessionId = context.getHttpSession().getId();
if (oldSessionId.equals(newSessionId)) {
log.log("FAILED! Both old and new session id is "
projects / vaadin-framework.git / commitdiff