本文探讨了一种解决会话固定安全问题的方法,并尝试实现本地缓存。通过从开源项目中复制代码并调整以适用于特定场景,实现了缓存的生命周期管理和会话属性迁移。
Session Fixation Security Issue(3)Local Cache Improvement
Just learn from others, try to implement this local cache in my demo project.
Just copy the codes from the openfire repository, but I only want to use the local cache. So I remove some codes about CacheFactory.java from DefaultCache class and rename it to LocalCache.
The test case for it is as follow:
package com.sillycat.easywebflow.core.localcache;
import org.junit.Test;
import org.springframework.util.Assert;
public class LocalCacheTest {
@Test
public void dummy() {
Assert.isTrue(true);
}
@Test
public void lifetime() throws InterruptedException {
LocalCache<string string> localCache = new LocalCache<string string>(
"test_name", 1024 * 1024 * 100, 5000);
for (int i = 0; i > sessionLocalCache = new LocalCache<string map object>>(
"localSession", 1024 * 1024 * 100, 10000);
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
Thread currentThread = Thread.currentThread();
String threadName = currentThread.getName();
if (!(servletRequest instanceof HttpServletRequest)) {
log.error("Can only process HttpServletRequest");
throw new ServletException("Can only process HttpServletRequest");
}
if (!(serlvetResponse instanceof HttpServletResponse)) {
log.error("Can only process HttpServletResponse");
throw new ServletException("Can only process HttpServletResponse");
}
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
// read cookie
Cookie[] cookies_array = request.getCookies();
String sessionId_fromCookie = "";
if (cookies_array != null && cookies_array.length > 0) {
for (int i = 0; i attributesToMigrate = null;
// get session
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
log.debug(threadName
+ " how did this happen, there is no session!!!!!!!!!!!! + sessionId_fromCookie="
+ sessionId_fromCookie);
}
String originalSessionId = "";
if (session != null && request.isRequestedSessionIdValid() != false) {
originalSessionId = session.getId();
// save the attributes in map
if (migrateSessionAttributes) {
attributesToMigrate = new HashMap<string object>();
Enumeration> enumer = session.getAttributeNames();
while (enumer.hasMoreElements()) {
try {
String key = (String) enumer.nextElement();
if (session != null
&& request.isRequestedSessionIdValid() != false) {
attributesToMigrate.put(key,
session.getAttribute(key));
}
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " sessionId=" + originalSessionId);
}
}
sessionLocalCache.put(originalSessionId, attributesToMigrate);
}
} else {
originalSessionId = sessionId_fromCookie;
}
// kill the old session
if (session != null && request.isRequestedSessionIdValid() != false) {
if (log.isDebugEnabled()) {
log.debug(threadName + " Invalidating session with Id "
+ originalSessionId + " start!");
}
session.invalidate();
if (log.isDebugEnabled()) {
log.debug(threadName + "Invalidating session with Id "
+ originalSessionId + " end!");
}
// session.setMaxInactiveInterval(10);
}
session = request.getSession(true); // we now have a new session
if (log.isDebugEnabled()) {
log.debug(threadName + "Started new session: " + session.getId());
}
if (sessionLocalCache.containsKey(originalSessionId)) {
log.debug(threadName + "getting session value from map: "
+ originalSessionId);
attributesToMigrate = (HashMap<string object>) sessionLocalCache
.get(originalSessionId);
}
// migrate the attribute to new session
if (attributesToMigrate != null) {
Iterator> iter = attributesToMigrate.entrySet().iterator();
while (iter.hasNext()) {
Map.Entry, ?> entry = (Entry, ?>) iter.next();
try {
session.setAttribute((String) entry.getKey(),
entry.getValue());
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " new SessionId=" + session.getId());
}
}
log.debug(threadName + " merge the data into new session ="
+ session.getId());
}
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
}
public void destroy() {
}
public boolean isMigrateSessionAttributes() {
return migrateSessionAttributes;
}
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}
}
It is weird to manage session like this. It is not recommended way.
references:
http://hi.baidu.com/iburu/item/61b4e5144ff792f8ddeecacd
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/DefaultCache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedList.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedListNode.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CacheSizes.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cacheable.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CannotCalculateSizeException.java
</string></string></string></string></string>
Just learn from others, try to implement this local cache in my demo project.
Just copy the codes from the openfire repository, but I only want to use the local cache. So I remove some codes about CacheFactory.java from DefaultCache class and rename it to LocalCache.
The test case for it is as follow:
package com.sillycat.easywebflow.core.localcache;
import org.junit.Test;
import org.springframework.util.Assert;
public class LocalCacheTest {
@Test
public void dummy() {
Assert.isTrue(true);
}
@Test
public void lifetime() throws InterruptedException {
LocalCache<string string> localCache = new LocalCache<string string>(
"test_name", 1024 * 1024 * 100, 5000);
for (int i = 0; i > sessionLocalCache = new LocalCache<string map object>>(
"localSession", 1024 * 1024 * 100, 10000);
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {
Thread currentThread = Thread.currentThread();
String threadName = currentThread.getName();
if (!(servletRequest instanceof HttpServletRequest)) {
log.error("Can only process HttpServletRequest");
throw new ServletException("Can only process HttpServletRequest");
}
if (!(serlvetResponse instanceof HttpServletResponse)) {
log.error("Can only process HttpServletResponse");
throw new ServletException("Can only process HttpServletResponse");
}
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;
// read cookie
Cookie[] cookies_array = request.getCookies();
String sessionId_fromCookie = "";
if (cookies_array != null && cookies_array.length > 0) {
for (int i = 0; i attributesToMigrate = null;
// get session
HttpSession session = request.getSession(false);
if (session == null && request.isRequestedSessionIdValid() == false) {
log.debug(threadName
+ " how did this happen, there is no session!!!!!!!!!!!! + sessionId_fromCookie="
+ sessionId_fromCookie);
}
String originalSessionId = "";
if (session != null && request.isRequestedSessionIdValid() != false) {
originalSessionId = session.getId();
// save the attributes in map
if (migrateSessionAttributes) {
attributesToMigrate = new HashMap<string object>();
Enumeration> enumer = session.getAttributeNames();
while (enumer.hasMoreElements()) {
try {
String key = (String) enumer.nextElement();
if (session != null
&& request.isRequestedSessionIdValid() != false) {
attributesToMigrate.put(key,
session.getAttribute(key));
}
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " sessionId=" + originalSessionId);
}
}
sessionLocalCache.put(originalSessionId, attributesToMigrate);
}
} else {
originalSessionId = sessionId_fromCookie;
}
// kill the old session
if (session != null && request.isRequestedSessionIdValid() != false) {
if (log.isDebugEnabled()) {
log.debug(threadName + " Invalidating session with Id "
+ originalSessionId + " start!");
}
session.invalidate();
if (log.isDebugEnabled()) {
log.debug(threadName + "Invalidating session with Id "
+ originalSessionId + " end!");
}
// session.setMaxInactiveInterval(10);
}
session = request.getSession(true); // we now have a new session
if (log.isDebugEnabled()) {
log.debug(threadName + "Started new session: " + session.getId());
}
if (sessionLocalCache.containsKey(originalSessionId)) {
log.debug(threadName + "getting session value from map: "
+ originalSessionId);
attributesToMigrate = (HashMap<string object>) sessionLocalCache
.get(originalSessionId);
}
// migrate the attribute to new session
if (attributesToMigrate != null) {
Iterator> iter = attributesToMigrate.entrySet().iterator();
while (iter.hasNext()) {
Map.Entry, ?> entry = (Entry, ?>) iter.next();
try {
session.setAttribute((String) entry.getKey(),
entry.getValue());
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " new SessionId=" + session.getId());
}
}
log.debug(threadName + " merge the data into new session ="
+ session.getId());
}
CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
}
public void destroy() {
}
public boolean isMigrateSessionAttributes() {
return migrateSessionAttributes;
}
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}
}
It is weird to manage session like this. It is not recommended way.
references:
http://hi.baidu.com/iburu/item/61b4e5144ff792f8ddeecacd
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/DefaultCache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedList.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedListNode.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CacheSizes.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cacheable.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CannotCalculateSizeException.java
</string></string></string></string></string>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
