Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/jetty-9.4.x' into jetty-10.0.x

This commit is contained in:
Jan Bartel 2019-10-16 14:13:33 +11:00
parent 8f1975cc04 92c8bb8dd5
commit b25a5ca9c7
5 changed files with 260 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionHandler.java
View File

@ -44,6 +44,7 @@ import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionIdListener;
import javax.servlet.http.HttpSessionListener;
import org.eclipse.jetty.http.BadMessageException;
import org.eclipse.jetty.http.HttpCookie;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
@ -1618,13 +1619,34 @@ public class SessionHandler extends ScopedHandler
{
if (sessionCookie.equalsIgnoreCase(cookies[i].getName()))
{
requestedSessionId = cookies[i].getValue();
String id = cookies[i].getValue();
requestedSessionIdFromCookie = true;
if (LOG.isDebugEnabled())
LOG.debug("Got Session ID {} from cookie {}", requestedSessionId, sessionCookie);
if (requestedSessionId != null)
LOG.debug("Got Session ID {} from cookie {}", id, sessionCookie);
HttpSession s = getHttpSession(id);
if (requestedSessionId == null)
{
break;
//no previous id, always accept this one
requestedSessionId = id;
session = s;
}
else if (requestedSessionId.equals(id))
{
//really a bad request, but will forgive the duplication
}
else if (session == null || !isValid(session))
{
//no previous session or invalid, accept this one
requestedSessionId = id;
session = s;
}
else
{
//previous session is valid, use it unless both valid
if (s != null && isValid(s))
throw new BadMessageException("Duplicate valid session cookies: " + requestedSessionId + "," + id);
}
}
}
@ -1655,6 +1677,7 @@ public class SessionHandler extends ScopedHandler
requestedSessionIdFromCookie = false;
if (LOG.isDebugEnabled())
LOG.debug("Got Session ID {} from URL", requestedSessionId);
session = getHttpSession(requestedSessionId);
}
}
}
@ -1664,11 +1687,10 @@ public class SessionHandler extends ScopedHandler
if (requestedSessionId != null)
{
session = getHttpSession(requestedSessionId);
if (session != null && isValid(session))
{
baseRequest.enterSession(session); //request enters this session for first time
baseRequest.setSession(session);
baseRequest.setSession(session); //associate the session with the request
}
}
}

5
tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractClusteredInvalidationSessionTest.java
View File

@ -103,8 +103,6 @@ public abstract class AbstractClusteredInvalidationSessionTest extends AbstractT
assertEquals(HttpServletResponse.SC_OK, response1.getStatus());
String sessionCookie = response1.getHeaders().get("Set-Cookie");
assertTrue(sessionCookie != null);
// Mangle the cookie, replacing Path with $Path, etc.
sessionCookie = sessionCookie.replaceFirst("(\\W)(P|p)ath=", "$1\\$Path=");
//ensure request is fully finished processing
latch.await(5, TimeUnit.SECONDS);
@ -113,7 +111,6 @@ public abstract class AbstractClusteredInvalidationSessionTest extends AbstractT
latch = new CountDownLatch(1);
scopeListener.setExitSynchronizer(latch);
Request request2 = client.newRequest(urls[1] + "?action=increment");
request2.header("Cookie", sessionCookie);
ContentResponse response2 = request2.send();
assertEquals(HttpServletResponse.SC_OK, response2.getStatus());
@ -153,6 +150,8 @@ public abstract class AbstractClusteredInvalidationSessionTest extends AbstractT
public static class TestServlet extends HttpServlet
{
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{

6
tests/test-sessions/test-sessions-common/src/main/java/org/eclipse/jetty/server/session/AbstractClusteredSessionScavengingTest.java
View File

@ -117,6 +117,7 @@ public abstract class AbstractClusteredSessionScavengingTest extends AbstractTes
assertTrue(response1.getContentAsString().startsWith("init"));
String sessionCookie = response1.getHeaders().get("Set-Cookie");
assertTrue(sessionCookie != null);
String id = TestServer.extractSessionId(sessionCookie);
//ensure request has finished being handled
synchronizer.await(5, TimeUnit.SECONDS);
@ -124,9 +125,7 @@ public abstract class AbstractClusteredSessionScavengingTest extends AbstractTes
assertEquals(1, ((DefaultSessionCache)m1.getSessionCache()).getSessionsCurrent());
assertEquals(1, ((DefaultSessionCache)m1.getSessionCache()).getSessionsMax());
assertEquals(1, ((DefaultSessionCache)m1.getSessionCache()).getSessionsTotal());
// Mangle the cookie, replacing Path with $Path, etc.
sessionCookie = sessionCookie.replaceFirst("(\\W)(P|p)ath=", "$1\\$Path=");
String id = TestServer.extractSessionId(sessionCookie);
//Peek at the contents of the cache without doing all the reference counting etc
Session s1 = ((AbstractSessionCache)m1.getSessionCache()).doGet(id);
@ -144,7 +143,6 @@ public abstract class AbstractClusteredSessionScavengingTest extends AbstractTes
synchronizer = new CountDownLatch(1);
scopeListener2.setExitSynchronizer(synchronizer);
Request request = client.newRequest("http://localhost:" + port2 + contextPath + servletMapping.substring(1));
request.header("Cookie", sessionCookie); //use existing session
ContentResponse response2 = request.send();
assertEquals(HttpServletResponse.SC_OK, response2.getStatus());
assertTrue(response2.getContentAsString().startsWith("test"));

5
tests/test-sessions/test-sessions-common/src/test/java/org/eclipse/jetty/server/session/ClientCrossContextSessionTest.java
View File

@ -82,12 +82,11 @@ public class ClientCrossContextSessionTest
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
String sessionCookie = response.getHeaders().get("Set-Cookie");
assertTrue(sessionCookie != null);
// Mangle the cookie, replacing Path with $Path, etc.
sessionCookie = sessionCookie.replaceFirst("(\\W)(P|p)ath=", "$1\\$Path=");
String sessionId = TestServer.extractSessionId(sessionCookie);
// Perform a request to contextB with the same session cookie
Request request = client.newRequest("http://localhost:" + port + contextB + servletMapping);
request.header("Cookie", sessionCookie);
request.header("Cookie", "JSESSIONID=" + sessionId);
ContentResponse responseB = request.send();
assertEquals(HttpServletResponse.SC_OK, responseB.getStatus());
assertEquals(servletA.sessionId, servletB.sessionId);

226
tests/test-sessions/test-sessions-common/src/test/java/org/eclipse/jetty/server/session/DuplicateCookieTest.java Normal file
View File

@ -0,0 +1,226 @@
//
// ========================================================================
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.session;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.StacklessLogging;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
/**
* Test having multiple session cookies in a request.
*/
public class DuplicateCookieTest
{
@Test
public void testMultipleSessionCookiesOnlyOneExists() throws Exception
{
String contextPath = "";
String servletMapping = "/server";
HttpClient client = null;
DefaultSessionCacheFactory cacheFactory = new DefaultSessionCacheFactory();
SessionDataStoreFactory storeFactory = new TestSessionDataStoreFactory();
TestServer server1 = new TestServer(0, -1, -1, cacheFactory, storeFactory);
TestServlet servlet = new TestServlet();
ServletHolder holder = new ServletHolder(servlet);
ServletContextHandler contextHandler = server1.addContext(contextPath);
contextHandler.addServlet(holder, servletMapping);
server1.start();
int port1 = server1.getPort();
try (StacklessLogging stackless = new StacklessLogging(Log.getLogger("org.eclipse.jetty.server.session")))
{
//create a valid session
createUnExpiredSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"4422");
client = new HttpClient();
client.start();
//make a request with another session cookie in there that does not exist
Request request = client.newRequest("http://localhost:" + port1 + contextPath + servletMapping + "?action=check");
request.header("Cookie", "JSESSIONID=123"); //doesn't exist
request.header("Cookie", "JSESSIONID=4422"); //does exist
ContentResponse response = request.send();
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
assertEquals("4422", response.getContentAsString());
}
finally
{
server1.stop();
client.stop();
}
}
@Test
public void testMultipleSessionCookiesOnlyOneValid() throws Exception
{
String contextPath = "";
String servletMapping = "/server";
HttpClient client = null;
DefaultSessionCacheFactory cacheFactory = new DefaultSessionCacheFactory();
SessionDataStoreFactory storeFactory = new TestSessionDataStoreFactory();
TestServer server1 = new TestServer(0, -1, -1, cacheFactory, storeFactory);
TestServlet servlet = new TestServlet();
ServletHolder holder = new ServletHolder(servlet);
ServletContextHandler contextHandler = server1.addContext(contextPath);
contextHandler.addServlet(holder, servletMapping);
server1.start();
int port1 = server1.getPort();
try (StacklessLogging stackless = new StacklessLogging(Log.getLogger("org.eclipse.jetty.server.session")))
{
//create a valid session
createUnExpiredSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"1122");
//create an invalid session
createInvalidSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"2233");
client = new HttpClient();
client.start();
//make a request with another session cookie in there that is not valid
Request request = client.newRequest("http://localhost:" + port1 + contextPath + servletMapping + "?action=check");
request.header("Cookie", "JSESSIONID=1122"); //is valid
request.header("Cookie", "JSESSIONID=2233"); //is invalid
ContentResponse response = request.send();
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
assertEquals("1122", response.getContentAsString());
}
finally
{
server1.stop();
client.stop();
}
}
@Test
public void testMultipleSessionCookiesMultipleExists() throws Exception
{
String contextPath = "";
String servletMapping = "/server";
HttpClient client = null;
DefaultSessionCacheFactory cacheFactory = new DefaultSessionCacheFactory();
SessionDataStoreFactory storeFactory = new TestSessionDataStoreFactory();
TestServer server1 = new TestServer(0, -1, -1, cacheFactory, storeFactory);
TestServlet servlet = new TestServlet();
ServletHolder holder = new ServletHolder(servlet);
ServletContextHandler contextHandler = server1.addContext(contextPath);
contextHandler.addServlet(holder, servletMapping);
server1.start();
int port1 = server1.getPort();
try (StacklessLogging stackless = new StacklessLogging(Log.getLogger("org.eclipse.jetty.server.session")))
{
//create some of unexpired sessions
createUnExpiredSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"1234");
createUnExpiredSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"5678");
createUnExpiredSession(contextHandler.getSessionHandler().getSessionCache(),
contextHandler.getSessionHandler().getSessionCache().getSessionDataStore(),
"9111");
client = new HttpClient();
client.start();
//make a request with multiple valid session ids
Request request = client.newRequest("http://localhost:" + port1 + contextPath + servletMapping + "?action=check");
request.header("Cookie", "JSESSIONID=1234");
request.header("Cookie", "JSESSIONID=5678");
ContentResponse response = request.send();
assertEquals(HttpServletResponse.SC_BAD_REQUEST, response.getStatus());
}
finally
{
server1.stop();
client.stop();
}
}
public Session createUnExpiredSession(SessionCache cache, SessionDataStore store, String id) throws Exception
{
long now = System.currentTimeMillis();
SessionData data = store.newSessionData(id, now - 20, now - 10, now - 20, TimeUnit.MINUTES.toMillis(10));
data.setExpiry(now + TimeUnit.DAYS.toMillis(1));
Session s = cache.newSession(data);
cache.add(id, s);
return s;
}
public Session createInvalidSession(SessionCache cache, SessionDataStore store, String id) throws Exception
{
Session session = createUnExpiredSession(cache, store, id);
session._state = Session.State.INVALID;
return session;
}
public static class TestServlet extends HttpServlet
{
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse httpServletResponse) throws ServletException, IOException
{
String action = request.getParameter("action");
if (StringUtil.isBlank(action))
return;
if (action.equalsIgnoreCase("check"))
{
HttpSession session = request.getSession(false);
assertNotNull(session);
httpServletResponse.getWriter().print(session.getId());
}
else if (action.equalsIgnoreCase("create"))
{
request.getSession(true);
}
}
}
}