You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/12/07 17:14:20 UTC
[tomcat] 17/18: Fix back-port of atomic session ID rotation.
Replace default method.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d9a1db799cc30d5bce796e3836bbd837531ce79e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Dec 6 22:10:29 2019 +0000
Fix back-port of atomic session ID rotation. Replace default method.
---
java/org/apache/catalina/Manager.java | 33 -----------------------
java/org/apache/catalina/connector/Request.java | 27 ++++++++++++++++++-
java/org/apache/catalina/session/ManagerBase.java | 1 -
3 files changed, 26 insertions(+), 35 deletions(-)
diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java
index 0fe745b..4c8275f 100644
--- a/java/org/apache/catalina/Manager.java
+++ b/java/org/apache/catalina/Manager.java
@@ -215,44 +215,11 @@ public interface Manager {
* session ID.
*
* @param session The session to change the session ID for
- *
- * @deprecated Use {@link #rotateSessionId(Session)}.
- * Will be removed in Tomcat 10
*/
- @Deprecated
public void changeSessionId(Session session);
/**
- * Change the session ID of the current session to a new randomly generated
- * session ID.
- *
- * @param session The session to change the session ID for
- *
- * @return The new session ID
- */
- public default String rotateSessionId(Session session) {
- String newSessionId = null;
- // Assume there new Id is a duplicate until we prove it isn't. The
- // chances of a duplicate are extremely low but the current ManagerBase
- // code protects against duplicates so this default method does too.
- boolean duplicate = true;
- do {
- newSessionId = getSessionIdGenerator().generateSessionId();
- try {
- if (findSession(newSessionId) == null) {
- duplicate = false;
- }
- } catch (IOException ioe) {
- // Swallow. An IOE means the ID was known so continue looping
- }
- } while (duplicate);
- changeSessionId(session, newSessionId);
- return newSessionId;
- }
-
-
- /**
* Change the session ID of the current session to a specified session ID.
*
* @param session The session to change the session ID for
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index 954aa3e..d606c2b 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -83,6 +83,7 @@ import org.apache.catalina.core.AsyncContextImpl;
import org.apache.catalina.mapper.MappingData;
import org.apache.catalina.servlet4preview.http.HttpServletMapping;
import org.apache.catalina.servlet4preview.http.PushBuilder;
+import org.apache.catalina.session.ManagerBase;
import org.apache.catalina.util.ParameterMap;
import org.apache.catalina.util.TLSUtil;
import org.apache.catalina.util.URLEncoder;
@@ -2698,12 +2699,36 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
Manager manager = this.getContext().getManager();
- String newSessionId = manager.rotateSessionId(session);
+ String newSessionId = rotateSessionId(manager, session);
this.changeSessionId(newSessionId);
return newSessionId;
}
+ private String rotateSessionId(Manager manager, Session sessiom) {
+ if (manager instanceof ManagerBase) {
+ return ((ManagerBase) manager).rotateSessionId(sessiom);
+ } else {
+ String newSessionId = null;
+ // Assume there new Id is a duplicate until we prove it isn't. The
+ // chances of a duplicate are extremely low but the current ManagerBase
+ // code protects against duplicates so this method does too.
+ boolean duplicate = true;
+ do {
+ newSessionId = manager.getSessionIdGenerator().generateSessionId();
+ try {
+ if (manager.findSession(newSessionId) == null) {
+ duplicate = false;
+ }
+ } catch (IOException ioe) {
+ // Swallow. An IOE means the ID was known so continue looping
+ }
+ } while (duplicate);
+ manager.changeSessionId(session, newSessionId);
+ return newSessionId;
+ }
+ }
+
/**
* @return the session associated with this Request, creating one
* if necessary and requested.
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index 894256d..74843d0 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -727,7 +727,6 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager
}
- @Override
public String rotateSessionId(Session session) {
String newId = generateSessionId();
changeSessionId(session, newId, true, true);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org