#6094 Add a way to switch session key

svn changeset:20519/svn branch:6.7
author: Leif Åstrand <leif@vaadin.com> 2011-08-19 12:54:47 +0000
committer: Leif Åstrand <leif@vaadin.com> 2011-08-19 12:54:47 +0000
commit: 948aca0a6fceb8d9bcd659bc13926d2b95ac395d (patch)
tree: 62346b168919d4d7b8cc5844443b4431caf2127c
parent: 2ff00c1bfdc5b62c7dca469d428fbef1a672ab52 (diff)
download: vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.tar.gz
vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.zip
4 files changed, 188 insertions, 0 deletions
diff --git a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java
index 49d40cbc62..79f2230588 100644
--- a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java
+++ b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java
@@ -95,6 +95,17 @@ public class PortletApplicationContext extends WebApplicationContext implements
         super.removeApplication(application);
     }
 
+    /**
+     * Reinitializing the session is not supported from portlets.
+     * 
+     * @see com.vaadin.terminal.gwt.server.WebApplicationContext#reinitializeSession()
+     */
+    @Override
+    public void reinitializeSession() {
+        throw new UnsupportedOperationException(
+                "Reinitializing the session is not supported from portlets");
+    }
+
     public void setPortletApplication(Portlet portlet, Application app) {
         portletToApplication.put(portlet, app);
     }
diff --git a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java
index dbb44d51d2..89b6773815 100644
--- a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java
+++ b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java
@@ -5,8 +5,12 @@
 package com.vaadin.terminal.gwt.server;
 
 import java.io.File;
+import java.util.Enumeration;
+import java.util.HashMap;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpSessionBindingEvent;
 import javax.servlet.http.HttpSessionBindingListener;
 
 import com.vaadin.Application;
@@ -26,6 +30,12 @@ import com.vaadin.Application;
 public class WebApplicationContext extends AbstractWebApplicationContext {
 
     protected transient HttpSession session;
+    private transient boolean reinitializingSession = false;
+
+    /**
+     * Stores a reference to the currentRequest. Null it not inside a request.
+     */
+    private transient Object currentRequest = null;
 
     /**
      * Creates a new Web Application Context.
@@ -35,6 +45,67 @@ public class WebApplicationContext extends AbstractWebApplicationContext {
 
     }
 
+    @Override
+    protected void startTransaction(Application application, Object request) {
+        currentRequest = request;
+        super.startTransaction(application, request);
+    }
+
+    @Override
+    protected void endTransaction(Application application, Object request) {
+        super.endTransaction(application, request);
+        currentRequest = null;
+    }
+
+    @Override
+    public void valueUnbound(HttpSessionBindingEvent event) {
+        if (!reinitializingSession) {
+            // Avoid closing the application if we are only reinitializing the
+            // session. Closing the application would cause the state to be lost
+            // and a new application to be created, which is not what we want.
+            super.valueUnbound(event);
+        }
+    }
+
+    /**
+     * Discards the current session and creates a new session with the same
+     * contents. The purpose of this is to introduce a new session key in order
+     * to avoid session fixation attacks.
+     */
+    @SuppressWarnings("unchecked")
+    public void reinitializeSession() {
+
+        HttpSession oldSession = getHttpSession();
+
+        // Stores all attributes (security key, reference to this context
+        // instance) so they can be added to the new session
+        HashMap<String, Object> attrs = new HashMap<String, Object>();
+        for (Enumeration<String> e = oldSession.getAttributeNames(); e
+                .hasMoreElements();) {
+            String name = e.nextElement();
+            attrs.put(name, oldSession.getAttribute(name));
+        }
+
+        // Invalidate the current session, set flag to avoid call to
+        // valueUnbound
+        reinitializingSession = true;
+        oldSession.invalidate();
+        reinitializingSession = false;
+
+        // Create a new session
+        HttpSession newSession = ((HttpServletRequest) currentRequest)
+                .getSession();
+
+        // Restores all attributes (security key, reference to this context
+        // instance)
+        for (String name : attrs.keySet()) {
+            newSession.setAttribute(name, attrs.get(name));
+        }
+
+        // Update the "current session" variable
+        session = newSession;
+    }
+
     /**
      * Gets the application context base directory.
      * 
diff --git a/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html
new file mode 100644
index 0000000000..6d028f1fea
--- /dev/null
+++ b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.html
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head profile="http://selenium-ide.openqa.org/profiles/test-case">
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<link rel="selenium.base" href="http://arturwin.office.itmill.com:8888/" />
+<title>ChangeSessionId</title>
+</head>
+<body>
+<table cellpadding="1" cellspacing="1" border="1">
+<thead>
+<tr><td rowspan="1" colspan="3">ChangeSessionId</td></tr>
+</thead><tbody>
+<tr>
+	<td>open</td>
+	<td>/run/com.vaadin.tests.applicationcontext.ChangeSessionId?restartApplication</td>
+	<td></td>
+</tr>
+<tr>
+	<td>click</td>
+	<td>vaadin=runcomvaadintestsapplicationcontextChangeSessionId::/VVerticalLayout[0]/ChildComponentContainer[1]/VButton[0]/domChild[0]/domChild[0]</td>
+	<td></td>
+</tr>
+<tr>
+	<td>click</td>
+	<td>vaadin=runcomvaadintestsapplicationcontextChangeSessionId::/VVerticalLayout[0]/ChildComponentContainer[2]/VButton[0]/domChild[0]/domChild[0]</td>
+	<td></td>
+</tr>
+<tr>
+	<td>assertText</td>
+	<td>vaadin=runcomvaadintestsapplicationcontextChangeSessionId::PID_SLog_row_1</td>
+	<td>2. Session id changed successfully from * to *</td>
+</tr>
+
+</tbody></table>
+</body>
+</html>
diff --git a/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java
new file mode 100644
index 0000000000..ddbbc49e68
--- /dev/null
+++ b/tests/src/com/vaadin/tests/applicationcontext/ChangeSessionId.java
@@ -0,0 +1,69 @@
+package com.vaadin.tests.applicationcontext;
+
+import com.vaadin.terminal.gwt.server.WebApplicationContext;
+import com.vaadin.tests.components.AbstractTestCase;
+import com.vaadin.tests.util.Log;
+import com.vaadin.ui.Button;
+import com.vaadin.ui.Button.ClickEvent;
+import com.vaadin.ui.Button.ClickListener;
+import com.vaadin.ui.Window;
+
+public class ChangeSessionId extends AbstractTestCase {
+
+    private Log log = new Log(5);
+    Button loginButton = new Button("Change session");
+    boolean requestSessionSwitch = false;
+
+    @Override
+    public void init() {
+        Window mainWindow = new Window("Sestest Application");
+        mainWindow.addComponent(log);
+        mainWindow.addComponent(loginButton);
+        mainWindow.addComponent(new Button("Show session id",
+                new Button.ClickListener() {
+
+                    public void buttonClick(ClickEvent event) {
+                        logSessionId();
+                    }
+                }));
+        setMainWindow(mainWindow);
+
+        loginButton.addListener(new ClickListener() {
+            public void buttonClick(ClickEvent event) {
+                WebApplicationContext context = ((WebApplicationContext) getContext());
+
+                String oldSessionId = context.getHttpSession().getId();
+                context.reinitializeSession();
+                String newSessionId = context.getHttpSession().getId();
+                if (oldSessionId.equals(newSessionId)) {
+                    log.log("FAILED! Both old and new session id is "
+                            + newSessionId);
+                } else {
+                    log.log("Session id changed successfully from "
+                            + oldSessionId + " to " + newSessionId);
+                }
+
+            }
+        });
+        logSessionId();
+    }
+
+    private void logSessionId() {
+        log.log("Session id: " + getSessionId());
+    }
+
+    protected String getSessionId() {
+        return ((WebApplicationContext) getContext()).getHttpSession().getId();
+    }
+
+    @Override
+    protected String getDescription() {
+        return "Tests that the session id can be changed to prevent session fixation attacks";
+    }
+
+    @Override
+    protected Integer getTicketNumber() {
+        return 6094;
+    }
+
+}
+\ No newline at end of file
author	Leif Åstrand <leif@vaadin.com>	2011-08-19 12:54:47 +0000
committer	Leif Åstrand <leif@vaadin.com>	2011-08-19 12:54:47 +0000
commit	948aca0a6fceb8d9bcd659bc13926d2b95ac395d (patch)
tree	62346b168919d4d7b8cc5844443b4431caf2127c
parent	2ff00c1bfdc5b62c7dca469d428fbef1a672ab52 (diff)
download	vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.tar.gz vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.zip