diff options
author | Leif Åstrand <leif@vaadin.com> | 2011-08-19 12:54:47 +0000 |
---|---|---|
committer | Leif Åstrand <leif@vaadin.com> | 2011-08-19 12:54:47 +0000 |
commit | 948aca0a6fceb8d9bcd659bc13926d2b95ac395d (patch) | |
tree | 62346b168919d4d7b8cc5844443b4431caf2127c /src/com/vaadin | |
parent | 2ff00c1bfdc5b62c7dca469d428fbef1a672ab52 (diff) | |
download | vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.tar.gz vaadin-framework-948aca0a6fceb8d9bcd659bc13926d2b95ac395d.zip |
#6094 Add a way to switch session key
svn changeset:20519/svn branch:6.7
Diffstat (limited to 'src/com/vaadin')
-rw-r--r-- | src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java | 11 | ||||
-rw-r--r-- | src/com/vaadin/terminal/gwt/server/WebApplicationContext.java | 71 |
2 files changed, 82 insertions, 0 deletions
diff --git a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java index 49d40cbc62..79f2230588 100644 --- a/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java +++ b/src/com/vaadin/terminal/gwt/server/PortletApplicationContext.java @@ -95,6 +95,17 @@ public class PortletApplicationContext extends WebApplicationContext implements super.removeApplication(application); } + /** + * Reinitializing the session is not supported from portlets. + * + * @see com.vaadin.terminal.gwt.server.WebApplicationContext#reinitializeSession() + */ + @Override + public void reinitializeSession() { + throw new UnsupportedOperationException( + "Reinitializing the session is not supported from portlets"); + } + public void setPortletApplication(Portlet portlet, Application app) { portletToApplication.put(portlet, app); } diff --git a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java index dbb44d51d2..89b6773815 100644 --- a/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java +++ b/src/com/vaadin/terminal/gwt/server/WebApplicationContext.java @@ -5,8 +5,12 @@ package com.vaadin.terminal.gwt.server; import java.io.File; +import java.util.Enumeration; +import java.util.HashMap; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import javax.servlet.http.HttpSessionBindingEvent; import javax.servlet.http.HttpSessionBindingListener; import com.vaadin.Application; @@ -26,6 +30,12 @@ import com.vaadin.Application; public class WebApplicationContext extends AbstractWebApplicationContext { protected transient HttpSession session; + private transient boolean reinitializingSession = false; + + /** + * Stores a reference to the currentRequest. Null it not inside a request. + */ + private transient Object currentRequest = null; /** * Creates a new Web Application Context. @@ -35,6 +45,67 @@ public class WebApplicationContext extends AbstractWebApplicationContext { } + @Override + protected void startTransaction(Application application, Object request) { + currentRequest = request; + super.startTransaction(application, request); + } + + @Override + protected void endTransaction(Application application, Object request) { + super.endTransaction(application, request); + currentRequest = null; + } + + @Override + public void valueUnbound(HttpSessionBindingEvent event) { + if (!reinitializingSession) { + // Avoid closing the application if we are only reinitializing the + // session. Closing the application would cause the state to be lost + // and a new application to be created, which is not what we want. + super.valueUnbound(event); + } + } + + /** + * Discards the current session and creates a new session with the same + * contents. The purpose of this is to introduce a new session key in order + * to avoid session fixation attacks. + */ + @SuppressWarnings("unchecked") + public void reinitializeSession() { + + HttpSession oldSession = getHttpSession(); + + // Stores all attributes (security key, reference to this context + // instance) so they can be added to the new session + HashMap<String, Object> attrs = new HashMap<String, Object>(); + for (Enumeration<String> e = oldSession.getAttributeNames(); e + .hasMoreElements();) { + String name = e.nextElement(); + attrs.put(name, oldSession.getAttribute(name)); + } + + // Invalidate the current session, set flag to avoid call to + // valueUnbound + reinitializingSession = true; + oldSession.invalidate(); + reinitializingSession = false; + + // Create a new session + HttpSession newSession = ((HttpServletRequest) currentRequest) + .getSession(); + + // Restores all attributes (security key, reference to this context + // instance) + for (String name : attrs.keySet()) { + newSession.setAttribute(name, attrs.get(name)); + } + + // Update the "current session" variable + session = newSession; + } + /** * Gets the application context base directory. * |