From 948aca0a6fceb8d9bcd659bc13926d2b95ac395d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Leif=20=C3=85strand?= Date: Fri, 19 Aug 2011 12:54:47 +0000 Subject: [PATCH] #6094 Add a way to switch session key svn changeset:20519/svn branch:6.7 --- .../gwt/server/PortletApplicationContext.java | 11 +++ .../gwt/server/WebApplicationContext.java | 71 +++++++++++++++++++ .../applicationcontext/ChangeSessionId.html | 37 ++++++++++ .../applicationcontext/ChangeSessionId.java | 69 ++++++++++++++++++ 4 files changed, 188 insertions(+) create mode 100644 tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html create mode 100644 tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java diff --git a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java index 49d40cbc62..79f2230588 100644 --- a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java +++ b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java @@ -95,6 +95,17 @@ public class PortletApplicationContext extends WebApplicationContext implements super.removeApplication(application); } + /** + * Reinitializing the session is not supported from portlets. + * + * @see com.vaadin.terminal.gwt.server.WebApplicationContext#reinitializeSession() + */ + @Override + public void reinitializeSession() { + throw new UnsupportedOperationException( + "Reinitializing the session is not supported from portlets"); + } + public void setPortletApplication(Portlet portlet, Application app) { portletToApplication.put(portlet, app); } diff --git a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java index dbb44d51d2..89b6773815 100644 --- a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java +++ b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java @@ -5,8 +5,12 @@ package com.vaadin.terminal.gwt.server; import java.io.File; +import java.util.Enumeration; +import java.util.HashMap; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import javax.servlet.http.HttpSessionBindingEvent; import javax.servlet.http.HttpSessionBindingListener; import com.vaadin.Application; @@ -26,6 +30,12 @@ import com.vaadin.Application; public class WebApplicationContext extends AbstractWebApplicationContext { protected transient HttpSession session; + private transient boolean reinitializingSession = false; + + /** + * Stores a reference to the currentRequest. Null it not inside a request. + */ + private transient Object currentRequest = null; /** * Creates a new Web Application Context. @@ -35,6 +45,67 @@ public class WebApplicationContext extends AbstractWebApplicationContext { } + @Override + protected void startTransaction(Application application, Object request) { + currentRequest = request; + super.startTransaction(application, request); + } + + @Override + protected void endTransaction(Application application, Object request) { + super.endTransaction(application, request); + currentRequest = null; + } + + @Override + public void valueUnbound(HttpSessionBindingEvent event) { + if (!reinitializingSession) { + // Avoid closing the application if we are only reinitializing the + // session. Closing the application would cause the state to be lost + // and a new application to be created, which is not what we want. + super.valueUnbound(event); + } + } + + /** + * Discards the current session and creates a new session with the same + * contents. The purpose of this is to introduce a new session key in order + * to avoid session fixation attacks. + */ + @SuppressWarnings("unchecked") + public void reinitializeSession() { + + HttpSession oldSession = getHttpSession(); + + // Stores all attributes (security key, reference to this context + // instance) so they can be added to the new session + HashMap attrs = new HashMap(); + for (Enumeration e = oldSession.getAttributeNames(); e + .hasMoreElements();) { + String name = e.nextElement(); + attrs.put(name, oldSession.getAttribute(name)); + } + + // Invalidate the current session, set flag to avoid call to + // valueUnbound + reinitializingSession = true; + oldSession.invalidate(); + reinitializingSession = false; + + // Create a new session + HttpSession newSession = ((HttpServletRequest) currentRequest) + .getSession(); + + // Restores all attributes (security key, reference to this context + // instance) + for (String name : attrs.keySet()) { + newSession.setAttribute(name, attrs.get(name)); + } + + // Update the "current session" variable + session = newSession; + } + /** * Gets the application context base directory. * diff --git a/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html new file mode 100644 index 0000000000..6d028f1fea --- /dev/null +++ b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html @@ -0,0 +1,37 @@ + + + + + + +ChangeSessionId + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ChangeSessionId
open/run/com.vaadin.tests.applicationcontext.ChangeSessionId?restartApplication
clickvaadin=runcomvaadintestsapplicationcontextChangeSessionId::/VVerticalLayout[0]/ChildComponentContainer[1]/VButton[0]/domChild[0]/domChild[0]
clickvaadin=runcomvaadintestsapplicationcontextChangeSessionId::/VVerticalLayout[0]/ChildComponentContainer[2]/VButton[0]/domChild[0]/domChild[0]
assertTextvaadin=runcomvaadintestsapplicationcontextChangeSessionId::PID_SLog_row_12. Session id changed successfully from * to *
+ + diff --git a/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java new file mode 100644 index 0000000000..ddbbc49e68 --- /dev/null +++ b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java @@ -0,0 +1,69 @@ +package com.vaadin.tests.applicationcontext; + +import com.vaadin.terminal.gwt.server.WebApplicationContext; +import com.vaadin.tests.components.AbstractTestCase; +import com.vaadin.tests.util.Log; +import com.vaadin.ui.Button; +import com.vaadin.ui.Button.ClickEvent; +import com.vaadin.ui.Button.ClickListener; +import com.vaadin.ui.Window; + +public class ChangeSessionId extends AbstractTestCase { + + private Log log = new Log(5); + Button loginButton = new Button("Change session"); + boolean requestSessionSwitch = false; + + @Override + public void init() { + Window mainWindow = new Window("Sestest Application"); + mainWindow.addComponent(log); + mainWindow.addComponent(loginButton); + mainWindow.addComponent(new Button("Show session id", + new Button.ClickListener() { + + public void buttonClick(ClickEvent event) { + logSessionId(); + } + })); + setMainWindow(mainWindow); + + loginButton.addListener(new ClickListener() { + public void buttonClick(ClickEvent event) { + WebApplicationContext context = ((WebApplicationContext) getContext()); + + String oldSessionId = context.getHttpSession().getId(); + context.reinitializeSession(); + String newSessionId = context.getHttpSession().getId(); + if (oldSessionId.equals(newSessionId)) { + log.log("FAILED! Both old and new session id is " + + newSessionId); + } else { + log.log("Session id changed successfully from " + + oldSessionId + " to " + newSessionId); + } + + } + }); + logSessionId(); + } + + private void logSessionId() { + log.log("Session id: " + getSessionId()); + } + + protected String getSessionId() { + return ((WebApplicationContext) getContext()).getHttpSession().getId(); + } + + @Override + protected String getDescription() { + return "Tests that the session id can be changed to prevent session fixation attacks"; + } + + @Override + protected Integer getTicketNumber() { + return 6094; + } + +} \ No newline at end of file -- 2.39.5