package com.vaadin.terminal.gwt.server;
import java.io.File;
+import java.util.Enumeration;
+import java.util.HashMap;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpSessionBindingEvent;
import javax.servlet.http.HttpSessionBindingListener;
import com.vaadin.Application;
public class WebApplicationContext extends AbstractWebApplicationContext {
protected transient HttpSession session;
+ private transient boolean reinitializingSession = false;
+
+ /**
+ * Stores a reference to the currentRequest. Null it not inside a request.
+ */
+ private transient Object currentRequest = null;
/**
* Creates a new Web Application Context.
}
+ @Override
+ protected void startTransaction(Application application, Object request) {
+ currentRequest = request;
+ super.startTransaction(application, request);
+ }
+
+ @Override
+ protected void endTransaction(Application application, Object request) {
+ super.endTransaction(application, request);
+ currentRequest = null;
+ }
+
+ @Override
+ public void valueUnbound(HttpSessionBindingEvent event) {
+ if (!reinitializingSession) {
+ // Avoid closing the application if we are only reinitializing the
+ // session. Closing the application would cause the state to be lost
+ // and a new application to be created, which is not what we want.
+ super.valueUnbound(event);
+ }
+ }
+
+ /**
+ * Discards the current session and creates a new session with the same
+ * contents. The purpose of this is to introduce a new session key in order
+ * to avoid session fixation attacks.
+ */
+ @SuppressWarnings("unchecked")
+ public void reinitializeSession() {
+
+ HttpSession oldSession = getHttpSession();
+
+ // Stores all attributes (security key, reference to this context
+ // instance) so they can be added to the new session
+ HashMap<String, Object> attrs = new HashMap<String, Object>();
+ for (Enumeration<String> e = oldSession.getAttributeNames(); e
+ .hasMoreElements();) {
+ String name = e.nextElement();
+ attrs.put(name, oldSession.getAttribute(name));
+ }
+
+ // Invalidate the current session, set flag to avoid call to
+ // valueUnbound
+ reinitializingSession = true;
+ oldSession.invalidate();
+ reinitializingSession = false;
+
+ // Create a new session
+ HttpSession newSession = ((HttpServletRequest) currentRequest)
+ .getSession();
+
+ // Restores all attributes (security key, reference to this context
+ // instance)
+ for (String name : attrs.keySet()) {
+ newSession.setAttribute(name, attrs.get(name));
+ }
+
+ // Update the "current session" variable
+ session = newSession;
+ }
+
/**
* Gets the application context base directory.
*
projects / vaadin-framework.git / commitdiff