Session Fixation Security Issue(3)Local Cache Improvement

sillycat

浏览: 2552532 次
性别:
来自: 成都

最近访客更多访客>>

huageng520

learnmore

u012363178

ymgjava

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

JAVA

Session Fixation Security Issue(3)Local Cache Improvement

Just learn from others, try to implement this local cache in my demo project.

Just copy the codes from the openfire repository, but I only want to use the local cache. So I remove some codes about CacheFactory.java from DefaultCache class and rename it to LocalCache.

The test case for it is as follow:
package com.sillycat.easywebflow.core.localcache;

import org.junit.Test;
import org.springframework.util.Assert;

public class LocalCacheTest {

@Test
public void dummy() {
Assert.isTrue(true);
}

@Test
public void lifetime() throws InterruptedException {
LocalCache<string string> localCache = new LocalCache<string string>(
"test_name", 1024 * 1024 * 100, 5000);
for (int i = 0; i &gt; sessionLocalCache = new LocalCache<string map object>&gt;(
"localSession", 1024 * 1024 * 100, 10000);

public void init(FilterConfig filterConfig) throws ServletException {
}

public void doFilter(ServletRequest servletRequest,
ServletResponse serlvetResponse, FilterChain chain)
throws IOException, ServletException {

Thread currentThread = Thread.currentThread();
String threadName = currentThread.getName();

if (!(servletRequest instanceof HttpServletRequest)) {
log.error("Can only process HttpServletRequest");
throw new ServletException("Can only process HttpServletRequest");
}

if (!(serlvetResponse instanceof HttpServletResponse)) {
log.error("Can only process HttpServletResponse");
throw new ServletException("Can only process HttpServletResponse");
}

HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) serlvetResponse;

// read cookie
Cookie[] cookies_array = request.getCookies();
String sessionId_fromCookie = "";
if (cookies_array != null &amp;&amp; cookies_array.length &gt; 0) {
for (int i = 0; i attributesToMigrate = null;

// get session
HttpSession session = request.getSession(false);

if (session == null &amp;&amp; request.isRequestedSessionIdValid() == false) {
log.debug(threadName
+ " how did this happen, there is no session!!!!!!!!!!!! + sessionId_fromCookie="
+ sessionId_fromCookie);
}

String originalSessionId = "";

if (session != null &amp;&amp; request.isRequestedSessionIdValid() != false) {
originalSessionId = session.getId();
// save the attributes in map
if (migrateSessionAttributes) {
attributesToMigrate = new HashMap<string object>();
Enumeration&gt; enumer = session.getAttributeNames();
while (enumer.hasMoreElements()) {
try {
String key = (String) enumer.nextElement();
if (session != null
&amp;&amp; request.isRequestedSessionIdValid() != false) {
attributesToMigrate.put(key,
session.getAttribute(key));
}
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " sessionId=" + originalSessionId);
}
}
sessionLocalCache.put(originalSessionId, attributesToMigrate);
}
} else {
originalSessionId = sessionId_fromCookie;
}

// kill the old session
if (session != null &amp;&amp; request.isRequestedSessionIdValid() != false) {
if (log.isDebugEnabled()) {
log.debug(threadName + " Invalidating session with Id "
+ originalSessionId + " start!");
}
session.invalidate();
if (log.isDebugEnabled()) {
log.debug(threadName + "Invalidating session with Id "
+ originalSessionId + " end!");
}
// session.setMaxInactiveInterval(10);
}

session = request.getSession(true); // we now have a new session
if (log.isDebugEnabled()) {
log.debug(threadName + "Started new session: " + session.getId());
}

if (sessionLocalCache.containsKey(originalSessionId)) {
log.debug(threadName + "getting session value from map: "
+ originalSessionId);
attributesToMigrate = (HashMap<string object>) sessionLocalCache
.get(originalSessionId);
}
// migrate the attribute to new session
if (attributesToMigrate != null) {
Iterator&gt; iter = attributesToMigrate.entrySet().iterator();
while (iter.hasNext()) {
Map.Entry, ?&gt; entry = (Entry, ?&gt;) iter.next();
try {
session.setAttribute((String) entry.getKey(),
entry.getValue());
} catch (Exception e) {
log.error(threadName + " error message " + e
+ " new SessionId=" + session.getId());
}
}
log.debug(threadName + " merge the data into new session ="
+ session.getId());
}

CookieRequestWrapper wrapperRequest = new CookieRequestWrapper(request);
wrapperRequest.setResponse(response);
chain.doFilter(wrapperRequest, response);
}

public void destroy() {

}

public boolean isMigrateSessionAttributes() {
return migrateSessionAttributes;
}

public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}

}

It is weird to manage session like this. It is not recommended way.

references:
http://hi.baidu.com/iburu/item/61b4e5144ff792f8ddeecacd
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/DefaultCache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedList.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/LinkedListNode.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cache.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CacheSizes.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/Cacheable.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/cache/CannotCalculateSizeException.java

</string></string></string></string></string>

分享到：

Session Fixation Security Issue(4)Verify ... | Session Fixation Security Issue(2)Sessio ...

2012-06-26 17:31
浏览 1190
评论(0)
分类:企业架构
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论