All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.undertow.servlet.spec.HttpSessionImpl Maven / Gradle / Ivy

The newest version!
/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

package io.undertow.servlet.spec;

import java.security.PrivilegedAction;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpSession;

import io.undertow.server.session.Session;
import io.undertow.servlet.UndertowServletMessages;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.util.IteratorEnumeration;

/**
 * The HTTP session implementation.
 *
 * Note that for security reasons no attribute names that start with io.undertow are allowed.
 *
 * @author Stuart Douglas
 */
public class HttpSessionImpl implements HttpSession {

    private static final RuntimePermission PERMISSION = new RuntimePermission("io.undertow.servlet.spec.UNWRAP_HTTP_SESSION");

    public static final String IO_UNDERTOW = "io.undertow";
    private final Session session;
    private final ServletContext servletContext;
    private final boolean newSession;
    private volatile boolean invalid;
    private final ServletRequestContext servletRequestContext;

    private HttpSessionImpl(final Session session, final ServletContext servletContext, final boolean newSession, ServletRequestContext servletRequestContext) {
        this.session = session;
        this.servletContext = servletContext;
        this.newSession = newSession;
        this.servletRequestContext = servletRequestContext;
    }

    public static HttpSessionImpl forSession(final Session session, final ServletContext servletContext, final boolean newSession) {
        // forSession is called by privileged actions only so no need to do it again
        ServletRequestContext current = ServletRequestContext.current();
        if (current == null) {
            return new HttpSessionImpl(session, servletContext, newSession, null);
        } else {
            HttpSessionImpl httpSession = current.getSession();
            if (httpSession == null) {
                httpSession = new HttpSessionImpl(session, servletContext, newSession, current);
                current.setSession(httpSession);
            } else {
                if(httpSession.session != session) {
                    //in some rare cases it may be that there are two different service contexts involved in the one request
                    //in this case we just return a new session rather than using the thread local version
                    httpSession = new HttpSessionImpl(session, servletContext, newSession, current);
                }
            }
            return httpSession;
        }
    }

    @Override
    public long getCreationTime() {
        return session.getCreationTime();
    }

    @Override
    public String getId() {
        return session.getId();
    }

    @Override
    public long getLastAccessedTime() {
        return session.getLastAccessedTime();
    }

    @Override
    public ServletContext getServletContext() {
        return servletContext;
    }

    @Override
    public void setMaxInactiveInterval(final int interval) {
        session.setMaxInactiveInterval(interval);
    }

    @Override
    public int getMaxInactiveInterval() {
        return session.getMaxInactiveInterval();
    }

    @Override
    public Object getAttribute(final String name) {
        if(name.startsWith(IO_UNDERTOW)) {
            throw new SecurityException();
        }
        return session.getAttribute(name);
    }

    @Override
    public Enumeration getAttributeNames() {
        Set attributeNames = getFilteredAttributeNames();
        return new IteratorEnumeration<>(attributeNames.iterator());
    }

    private Set getFilteredAttributeNames() {
        Set attributeNames = new HashSet<>(session.getAttributeNames());
        Iterator it = attributeNames.iterator();
        while (it.hasNext()) {
            if(it.next().startsWith(IO_UNDERTOW)) {
                it.remove();
            }
        }
        return attributeNames;
    }

    @Override
    public void setAttribute(final String name, final Object value) {
        if(name.startsWith(IO_UNDERTOW)) {
            throw new SecurityException();
        }
        if (value == null) {
            removeAttribute(name);
        } else {
            session.setAttribute(name, value);
        }
    }

    @Override
    public void removeAttribute(final String name) {
        if(name.startsWith(IO_UNDERTOW)) {
            throw new SecurityException();
        }
        session.removeAttribute(name);
    }

    @Override
    public void invalidate() {
        invalid = true;
        if (servletRequestContext == null) {
            session.invalidate(null);
        } else {
            if(servletRequestContext.getOriginalRequest().getServletContext() == servletContext) {
                session.invalidate(servletRequestContext.getOriginalRequest().getExchange());
            } else {
                session.invalidate(null);
            }
        }
    }

    @Override
    public boolean isNew() {
        if (invalid) {
            throw UndertowServletMessages.MESSAGES.sessionIsInvalid();
        }
        return newSession;
    }

    public Session getSession() {
        SecurityManager sm = System.getSecurityManager();
        if(sm != null) {
            sm.checkPermission(PERMISSION);
        }
        return session;
    }

    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;

        HttpSessionImpl that = (HttpSessionImpl) o;

        return session.getId().equals(that.session.getId());

    }

    @Override
    public int hashCode() {
        return session.getId().hashCode();
    }

    public boolean isInvalid() {
        if(invalid) {
            return true;
        }
        try {
            //TODO: in 1.5 we need to add session.isValid()
            session.getMaxInactiveInterval();
            return false;
        } catch (IllegalStateException e) {
            return true;
        }
    }

    public static class UnwrapSessionAction implements PrivilegedAction {

        private final HttpSessionImpl session;

        public UnwrapSessionAction(HttpSession session) {
            this.session = (HttpSessionImpl) session;
        }

        @Override
        public Session run() {
            return session.getSession();
        }
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy