[tomcat] 17/18: Fix back-port of atomic session ID rotation. Replace default method.

[ma...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit d9a1db799cc30d5bce796e3836bbd837531ce79e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Dec 6 22:10:29 2019 +0000

    Fix back-port of atomic session ID rotation. Replace default method.
---
 java/org/apache/catalina/Manager.java             | 33 -----------------------
 java/org/apache/catalina/connector/Request.java   | 27 ++++++++++++++++++-
 java/org/apache/catalina/session/ManagerBase.java |  1 -
 3 files changed, 26 insertions(+), 35 deletions(-)

diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java
index 0fe745b..4c8275f 100644
--- a/java/org/apache/catalina/Manager.java
+++ b/java/org/apache/catalina/Manager.java
@@ -215,44 +215,11 @@ public interface Manager {
      * session ID.
      *
      * @param session   The session to change the session ID for
-     *
-     * @deprecated Use {@link #rotateSessionId(Session)}.
-     *             Will be removed in Tomcat 10
      */
-    @Deprecated
     public void changeSessionId(Session session);
 
 
     /**
-     * Change the session ID of the current session to a new randomly generated
-     * session ID.
-     *
-     * @param session   The session to change the session ID for
-     *
-     * @return  The new session ID
-     */
-    public default String rotateSessionId(Session session) {
-        String newSessionId = null;
-        // Assume there new Id is a duplicate until we prove it isn't. The
-        // chances of a duplicate are extremely low but the current ManagerBase
-        // code protects against duplicates so this default method does too.
-        boolean duplicate = true;
-        do {
-            newSessionId = getSessionIdGenerator().generateSessionId();
-            try {
-                if (findSession(newSessionId) == null) {
-                    duplicate = false;
-                }
-            } catch (IOException ioe) {
-                // Swallow. An IOE means the ID was known so continue looping
-            }
-        } while (duplicate);
-        changeSessionId(session, newSessionId);
-        return newSessionId;
-    }
-
-
-    /**
      * Change the session ID of the current session to a specified session ID.
      *
      * @param session   The session to change the session ID for
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index 954aa3e..d606c2b 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -83,6 +83,7 @@ import org.apache.catalina.core.AsyncContextImpl;
 import org.apache.catalina.mapper.MappingData;
 import org.apache.catalina.servlet4preview.http.HttpServletMapping;
 import org.apache.catalina.servlet4preview.http.PushBuilder;
+import org.apache.catalina.session.ManagerBase;
 import org.apache.catalina.util.ParameterMap;
 import org.apache.catalina.util.TLSUtil;
 import org.apache.catalina.util.URLEncoder;
@@ -2698,12 +2699,36 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
 
         Manager manager = this.getContext().getManager();
 
-        String newSessionId = manager.rotateSessionId(session);
+        String newSessionId = rotateSessionId(manager, session);
         this.changeSessionId(newSessionId);
 
         return newSessionId;
     }
 
+    private String rotateSessionId(Manager manager, Session sessiom) {
+        if (manager instanceof ManagerBase) {
+            return ((ManagerBase) manager).rotateSessionId(sessiom);
+        } else {
+            String newSessionId = null;
+            // Assume there new Id is a duplicate until we prove it isn't. The
+            // chances of a duplicate are extremely low but the current ManagerBase
+            // code protects against duplicates so this method does too.
+            boolean duplicate = true;
+            do {
+                newSessionId = manager.getSessionIdGenerator().generateSessionId();
+                try {
+                    if (manager.findSession(newSessionId) == null) {
+                        duplicate = false;
+                    }
+                } catch (IOException ioe) {
+                    // Swallow. An IOE means the ID was known so continue looping
+                }
+            } while (duplicate);
+            manager.changeSessionId(session, newSessionId);
+            return newSessionId;
+        }
+    }
+
     /**
      * @return the session associated with this Request, creating one
      * if necessary and requested.
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index 894256d..74843d0 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -727,7 +727,6 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager
     }
 
 
-    @Override
     public String rotateSessionId(Session session) {
         String newId = generateSessionId();
         changeSessionId(session, newId, true, true);


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org