`
sillycat
  • 浏览: 2477530 次
  • 性别: Icon_minigender_1
  • 来自: 成都
社区版块
存档分类
最新评论

Session Fixation Security Issue(3)Local Cache Improvement

    博客分类:
  • JAVA
 
阅读更多
Session Fixation Security Issue(3)Local Cache Improvement

Just learn from others, try to implement this local cache in my demo project.

Just copy the codes from the openfire repository, but I only want to use the local cache. So I remove some codes about CacheFactory.java from DefaultCache class and rename it to LocalCache.

The test case for it is as follow:
package com.sillycat.easywebflow.core.localcache;

import org.junit.Test;
import org.springframework.util.Assert;

public class LocalCacheTest {

@Test
public void dummy() {
Assert.isTrue(true);
}

@Test
public void lifetime() throws InterruptedException {
LocalCache<string string> localCache = new LocalCache<string string>(
"test_name", 1024 * 1024 * 100, 5000);
for (int i = 0; i > sessionLocalCache = new LocalCache<string map object>>(
"localSession", 1024 * 1024 * 100, 10000);

public void init(FilterConfig filterConfig) throws ServletException {
}

public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {

Thread currentThread = Thread.currentThread();
String threadName = currentThread.getName();

if (!(servletRequest instanceof HttpServletRequest)) {
log.error("Can only process HttpServletRequest");
throw new ServletException("Can only process HttpServletRequest");
}

if (!(serlvetResponse instanceof HttpServletResponse)) {
log.error("Can only process HttpServletResponse");
throw new ServletException("Can only process HttpServletResponse");
}

HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;

// read cookie
Cookie[] cookies_array = request.getCookies();
String sessionId_fromCookie = "";
if (cookies_array != null && cookies_array.length > 0) {
for (int i = 0; i  attributesToMigrate = null;

// get session
HttpSession session = request.getSession(false);

if (session == null && request.isRequestedSessionIdValid() == false) {
log.debug(threadName
+ " how did this happen, there is no session!!!!!!!!!!!! + sessionId_fromCookie="
+ sessionId_fromCookie);
}

String originalSessionId = "";

if (session != null && request.isRequestedSessionIdValid() != false) {
originalSessionId = session.getId();
// save the attributes in map
if (migrateSessionAttributes) {
attributesToMigrate = new HashMap<string object>();
Enumeration> enumer = session.getAttributeNames();
while (enumer.hasMoreElements()) {
try {
String key = (String) enumer.nextElement();
if (session != null
&& request.isRequestedSessionIdValid() != false) {
attributesToMigrate.put(key,
session.getAttribute(key));
}
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " sessionId=" + originalSessionId);
}
}
sessionLocalCache.put(originalSessionId, attributesToMigrate);
}
} else {
originalSessionId = sessionId_fromCookie;
}

// kill the old session
if (session != null && request.isRequestedSessionIdValid() != false) {
if (log.isDebugEnabled()) {
log.debug(threadName + " Invalidating session with Id "
+ originalSessionId + " start!");
}
session.invalidate();
if (log.isDebugEnabled()) {
log.debug(threadName + "Invalidating session with Id "
+ originalSessionId + " end!");
}
// session.setMaxInactiveInterval(10);
}

session = request.getSession(true); // we now have a new session
if (log.isDebugEnabled()) {
log.debug(threadName + "Started new session: " + session.getId());
}

if (sessionLocalCache.containsKey(originalSessionId)) {
log.debug(threadName + "getting session value from map: "
+ originalSessionId);
attributesToMigrate = (HashMap<string object>) sessionLocalCache
.get(originalSessionId);
}
// migrate the attribute to new session
if (attributesToMigrate != null) {
Iterator> iter = attributesToMigrate.entrySet().iterator();
while (iter.hasNext()) {
Map.Entry, ?> entry = (Entry, ?>) iter.next();
try {
session.setAttribute((String) entry.getKey(),
entry.getValue());
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " new SessionId=" + session.getId());
}
}
log.debug(threadName + " merge the data into new session ="
+ session.getId());
}

CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
}

public void destroy() {

}

public boolean isMigrateSessionAttributes() {
return migrateSessionAttributes;
}

public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}

}

It is weird to manage session like this. It is not recommended way.

references:
http://hi.baidu.com/iburu/item/61b4e5144ff792f8ddeecacd
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/DefaultCache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedList.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedListNode.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CacheSizes.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cacheable.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CannotCalculateSizeException.java



</string></string></string></string></string>
分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics