You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/11/10 12:55:45 UTC
svn commit: r1713618 - in /tomcat/trunk: java/org/apache/catalina/
java/org/apache/catalina/connector/ java/org/apache/catalina/core/
java/org/apache/catalina/startup/ test/org/apache/catalina/core/
Author: markt
Date: Tue Nov 10 11:55:45 2015
New Revision: 1713618
URL: http://svn.apache.org/viewvc?rev=1713618&view=rev
Log:
Add a new Context option, enabled by default, that enables an additional check that a client provided session ID is in use in at least one other web application before allowing it to be used as the ID for a new session in the current web application.
Modified:
tomcat/trunk/java/org/apache/catalina/Context.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Tue Nov 10 11:55:45 2015
@@ -1680,4 +1680,32 @@ public interface Context extends Contain
* for this Context.
*/
public CookieProcessor getCookieProcessor();
+
+ /**
+ * When a client provides the ID for a new session, should that ID be
+ * validated? The only use case for using a client provided session ID is to
+ * have a common session ID across multiple web applications. Therefore,
+ * any client provided session ID should already exist in another web
+ * application. If this check is enabled, the client provided session ID
+ * will only be used if the session ID exists in at least one other web
+ * application for the current host. Note that the following additional
+ * tests are always applied, irrespective of this setting:
+ * <ul>
+ * <li>The session ID is provided by a cookie</li>
+ * <li>The session cookie has a path of {@code /}</li>
+ * </ul>
+ *
+ * @param validateClientProvidedNewSessionId
+ * {@code true} if validation should be applied
+ */
+ public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId);
+
+ /**
+ * Will client provided session IDs be validated (see {@link
+ * #setValidateClientProvidedNewSessionId(boolean)}) before use?
+ *
+ * @return {@code true} if validation will be applied. Otherwise, {@code
+ * false}
+ */
+ public boolean getValidateClientProvidedNewSessionId();
}
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Tue Nov 10 11:55:45 2015
@@ -65,6 +65,7 @@ import javax.servlet.http.HttpUpgradeHan
import javax.servlet.http.Part;
import javax.servlet.http.PushBuilder;
+import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.Host;
@@ -2827,16 +2828,49 @@ public class Request implements HttpServ
sm.getString("coyoteRequest.sessionCreateCommitted"));
}
- // Attempt to reuse session id if one was submitted in a cookie
- // Do not reuse the session id if it is from a URL, to prevent possible
- // phishing attacks
- // Use the SSL session ID if one is present.
- if (("/".equals(context.getSessionCookiePath())
- && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
- session = manager.createSession(getRequestedSessionId());
+ // Re-use session IDs provided by the client in very limited
+ // circumstances.
+ String sessionId = getRequestedSessionId();
+ if (requestedSessionSSL) {
+ // If the session ID has been obtained from the SSL handshake then
+ // use it.
+ } else if (("/".equals(context.getSessionCookiePath())
+ && isRequestedSessionIdFromCookie())) {
+ /* This is the common(ish) use case: using the same session ID with
+ * multiple web applications on the same host. Typically this is
+ * used by Portlet implementations. It only works if sessions are
+ * tracked via cookies. The cookie must have a path of "/" else it
+ * won't be provided to for requests to all web applications.
+ *
+ * Any session ID provided by the client should be for a session
+ * that already exists somewhere on the host. Check if the context
+ * is configured for this to be confirmed.
+ */
+ if (context.getValidateClientProvidedNewSessionId()) {
+ boolean found = false;
+ for (Container container : getHost().findChildren()) {
+ Manager m = ((Context) container).getManager();
+ if (m != null) {
+ try {
+ if (m.findSession(sessionId) != null) {
+ found = true;
+ break;
+ }
+ } catch (IOException e) {
+ // Ignore. Problems with this manager will be
+ // handled elsewhere.
+ }
+ }
+ }
+ if (!found) {
+ sessionId = null;
+ }
+ sessionId = getRequestedSessionId();
+ }
} else {
- session = manager.createSession(null);
+ sessionId = null;
}
+ session = manager.createSession(sessionId);
// Creating a new session cookie based on that session
if (session != null
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Tue Nov 10 11:55:45 2015
@@ -814,10 +814,26 @@ public class StandardContext extends Con
private CookieProcessor cookieProcessor;
+ private boolean validateClientProvidedNewSessionId = true;
// ----------------------------------------------------- Context Properties
@Override
+ public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
+ this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
+ }
+
+ /**
+ * {@inheritDoc}
+ * <p>
+ * The default value for this implementation is {@code true}.
+ */
+ @Override
+ public boolean getValidateClientProvidedNewSessionId() {
+ return validateClientProvidedNewSessionId;
+ }
+
+ @Override
public void setCookieProcessor(CookieProcessor cookieProcessor) {
if (cookieProcessor == null) {
throw new IllegalArgumentException(
Modified: tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java Tue Nov 10 11:55:45 2015
@@ -761,4 +761,12 @@ public class FailedContext extends Lifec
@Override
public CookieProcessor getCookieProcessor() { return null; }
+
+ @Override
+ public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
+ //NO-OP
+ }
+
+ @Override
+ public boolean getValidateClientProvidedNewSessionId() { return false; }
}
\ No newline at end of file
Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original)
+++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Nov 10 11:55:45 2015
@@ -1226,4 +1226,12 @@ public class TesterContext implements Co
@Override
public CookieProcessor getCookieProcessor() { return null; }
+
+ @Override
+ public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
+ //NO-OP
+ }
+
+ @Override
+ public boolean getValidateClientProvidedNewSessionId() { return false; }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1713618 - in /tomcat/trunk:
java/org/apache/catalina/ java/org/apache/catalina/connector/
java/org/apache/catalina/core/ java/org/apache/catalina/startup/
test/org/apache/catalina/core/
Posted by Mark Thomas <ma...@apache.org>.
On 11/11/2015 20:15, Christopher Schultz wrote:
> Mark,
>
> On 11/10/15 6:55 AM, markt@apache.org wrote:
>> Author: markt
>> Date: Tue Nov 10 11:55:45 2015
>> New Revision: 1713618
>>
>> URL: http://svn.apache.org/viewvc?rev=1713618&view=rev
>> Log:
>> Add a new Context option, enabled by default, that enables an additional check that a client provided session ID is in use in at least one other web application before allowing it to be used as the ID for a new session in the current web application.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/Context.java
>> tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
>> tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
>> tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/Context.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1713618&r1=1713617&r2=1713618&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/Context.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/Context.java Tue Nov 10 11:55:45 2015
>> @@ -1680,4 +1680,32 @@ public interface Context extends Contain
>> * for this Context.
>> */
>> public CookieProcessor getCookieProcessor();
>> +
>> + /**
>> + * When a client provides the ID for a new session, should that ID be
>> + * validated? The only use case for using a client provided session ID is to
>> + * have a common session ID across multiple web applications. Therefore,
>> + * any client provided session ID should already exist in another web
>> + * application. If this check is enabled, the client provided session ID
>> + * will only be used if the session ID exists in at least one other web
>> + * application for the current host. Note that the following additional
>> + * tests are always applied, irrespective of this setting:
>> + * <ul>
>> + * <li>The session ID is provided by a cookie</li>
>> + * <li>The session cookie has a path of {@code /}</li>
>> + * </ul>
>> + *
>> + * @param validateClientProvidedNewSessionId
>> + * {@code true} if validation should be applied
>> + */
>> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId);
>> +
>> + /**
>> + * Will client provided session IDs be validated (see {@link
>> + * #setValidateClientProvidedNewSessionId(boolean)}) before use?
>> + *
>> + * @return {@code true} if validation will be applied. Otherwise, {@code
>> + * false}
>> + */
>> + public boolean getValidateClientProvidedNewSessionId();
>> }
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1713618&r1=1713617&r2=1713618&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Tue Nov 10 11:55:45 2015
>> @@ -65,6 +65,7 @@ import javax.servlet.http.HttpUpgradeHan
>> import javax.servlet.http.Part;
>> import javax.servlet.http.PushBuilder;
>>
>> +import org.apache.catalina.Container;
>> import org.apache.catalina.Context;
>> import org.apache.catalina.Globals;
>> import org.apache.catalina.Host;
>> @@ -2827,16 +2828,49 @@ public class Request implements HttpServ
>> sm.getString("coyoteRequest.sessionCreateCommitted"));
>> }
>>
>> - // Attempt to reuse session id if one was submitted in a cookie
>> - // Do not reuse the session id if it is from a URL, to prevent possible
>> - // phishing attacks
>> - // Use the SSL session ID if one is present.
>> - if (("/".equals(context.getSessionCookiePath())
>> - && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
>> - session = manager.createSession(getRequestedSessionId());
>> + // Re-use session IDs provided by the client in very limited
>> + // circumstances.
>> + String sessionId = getRequestedSessionId();
>> + if (requestedSessionSSL) {
>> + // If the session ID has been obtained from the SSL handshake then
>> + // use it.
>> + } else if (("/".equals(context.getSessionCookiePath())
>> + && isRequestedSessionIdFromCookie())) {
>> + /* This is the common(ish) use case: using the same session ID with
>> + * multiple web applications on the same host. Typically this is
>> + * used by Portlet implementations. It only works if sessions are
>> + * tracked via cookies. The cookie must have a path of "/" else it
>> + * won't be provided to for requests to all web applications.
>> + *
>> + * Any session ID provided by the client should be for a session
>> + * that already exists somewhere on the host. Check if the context
>> + * is configured for this to be confirmed.
>> + */
>> + if (context.getValidateClientProvidedNewSessionId()) {
>> + boolean found = false;
>> + for (Container container : getHost().findChildren()) {
>> + Manager m = ((Context) container).getManager();
>> + if (m != null) {
>> + try {
>> + if (m.findSession(sessionId) != null) {
>> + found = true;
>> + break;
>> + }
>> + } catch (IOException e) {
>> + // Ignore. Problems with this manager will be
>> + // handled elsewhere.
>> + }
>> + }
>> + }
>> + if (!found) {
>> + sessionId = null;
>> + }
>> + sessionId = getRequestedSessionId();
>> + }
>> } else {
>> - session = manager.createSession(null);
>> + sessionId = null;
>> }
>> + session = manager.createSession(sessionId);
>>
>> // Creating a new session cookie based on that session
>> if (session != null
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Tue Nov 10 11:55:45 2015
>> @@ -814,10 +814,26 @@ public class StandardContext extends Con
>>
>> private CookieProcessor cookieProcessor;
>>
>> + private boolean validateClientProvidedNewSessionId = true;
>>
>> // ----------------------------------------------------- Context Properties
>>
>> @Override
>> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
>> + this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
>> + }
>> +
>> + /**
>> + * {@inheritDoc}
>> + * <p>
>> + * The default value for this implementation is {@code true}.
>> + */
>> + @Override
>> + public boolean getValidateClientProvidedNewSessionId() {
>> + return validateClientProvidedNewSessionId;
>> + }
>> +
>> + @Override
>> public void setCookieProcessor(CookieProcessor cookieProcessor) {
>> if (cookieProcessor == null) {
>> throw new IllegalArgumentException(
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java Tue Nov 10 11:55:45 2015
>> @@ -761,4 +761,12 @@ public class FailedContext extends Lifec
>>
>> @Override
>> public CookieProcessor getCookieProcessor() { return null; }
>> +
>> + @Override
>> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
>> + //NO-OP
>> + }
>> +
>> + @Override
>> + public boolean getValidateClientProvidedNewSessionId() { return false; }
>> }
>> \ No newline at end of file
>>
>> Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
>> ==============================================================================
>> --- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original)
>> +++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Nov 10 11:55:45 2015
>> @@ -1226,4 +1226,12 @@ public class TesterContext implements Co
>>
>> @Override
>> public CookieProcessor getCookieProcessor() { return null; }
>> +
>> + @Override
>> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
>> + //NO-OP
>> + }
>> +
>> + @Override
>> + public boolean getValidateClientProvidedNewSessionId() { return false; }
>> }
>
> This likely needs documentation in manager.xml.
context.xml, but yes.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1713618 - in /tomcat/trunk: java/org/apache/catalina/
java/org/apache/catalina/connector/ java/org/apache/catalina/core/
java/org/apache/catalina/startup/ test/org/apache/catalina/core/
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/10/15 6:55 AM, markt@apache.org wrote:
> Author: markt
> Date: Tue Nov 10 11:55:45 2015
> New Revision: 1713618
>
> URL: http://svn.apache.org/viewvc?rev=1713618&view=rev
> Log:
> Add a new Context option, enabled by default, that enables an additional check that a client provided session ID is in use in at least one other web application before allowing it to be used as the ID for a new session in the current web application.
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/Context.java
> tomcat/trunk/java/org/apache/catalina/connector/Request.java
> tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
> tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
> tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/Context.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1713618&r1=1713617&r2=1713618&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/Context.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/Context.java Tue Nov 10 11:55:45 2015
> @@ -1680,4 +1680,32 @@ public interface Context extends Contain
> * for this Context.
> */
> public CookieProcessor getCookieProcessor();
> +
> + /**
> + * When a client provides the ID for a new session, should that ID be
> + * validated? The only use case for using a client provided session ID is to
> + * have a common session ID across multiple web applications. Therefore,
> + * any client provided session ID should already exist in another web
> + * application. If this check is enabled, the client provided session ID
> + * will only be used if the session ID exists in at least one other web
> + * application for the current host. Note that the following additional
> + * tests are always applied, irrespective of this setting:
> + * <ul>
> + * <li>The session ID is provided by a cookie</li>
> + * <li>The session cookie has a path of {@code /}</li>
> + * </ul>
> + *
> + * @param validateClientProvidedNewSessionId
> + * {@code true} if validation should be applied
> + */
> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId);
> +
> + /**
> + * Will client provided session IDs be validated (see {@link
> + * #setValidateClientProvidedNewSessionId(boolean)}) before use?
> + *
> + * @return {@code true} if validation will be applied. Otherwise, {@code
> + * false}
> + */
> + public boolean getValidateClientProvidedNewSessionId();
> }
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1713618&r1=1713617&r2=1713618&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Tue Nov 10 11:55:45 2015
> @@ -65,6 +65,7 @@ import javax.servlet.http.HttpUpgradeHan
> import javax.servlet.http.Part;
> import javax.servlet.http.PushBuilder;
>
> +import org.apache.catalina.Container;
> import org.apache.catalina.Context;
> import org.apache.catalina.Globals;
> import org.apache.catalina.Host;
> @@ -2827,16 +2828,49 @@ public class Request implements HttpServ
> sm.getString("coyoteRequest.sessionCreateCommitted"));
> }
>
> - // Attempt to reuse session id if one was submitted in a cookie
> - // Do not reuse the session id if it is from a URL, to prevent possible
> - // phishing attacks
> - // Use the SSL session ID if one is present.
> - if (("/".equals(context.getSessionCookiePath())
> - && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
> - session = manager.createSession(getRequestedSessionId());
> + // Re-use session IDs provided by the client in very limited
> + // circumstances.
> + String sessionId = getRequestedSessionId();
> + if (requestedSessionSSL) {
> + // If the session ID has been obtained from the SSL handshake then
> + // use it.
> + } else if (("/".equals(context.getSessionCookiePath())
> + && isRequestedSessionIdFromCookie())) {
> + /* This is the common(ish) use case: using the same session ID with
> + * multiple web applications on the same host. Typically this is
> + * used by Portlet implementations. It only works if sessions are
> + * tracked via cookies. The cookie must have a path of "/" else it
> + * won't be provided to for requests to all web applications.
> + *
> + * Any session ID provided by the client should be for a session
> + * that already exists somewhere on the host. Check if the context
> + * is configured for this to be confirmed.
> + */
> + if (context.getValidateClientProvidedNewSessionId()) {
> + boolean found = false;
> + for (Container container : getHost().findChildren()) {
> + Manager m = ((Context) container).getManager();
> + if (m != null) {
> + try {
> + if (m.findSession(sessionId) != null) {
> + found = true;
> + break;
> + }
> + } catch (IOException e) {
> + // Ignore. Problems with this manager will be
> + // handled elsewhere.
> + }
> + }
> + }
> + if (!found) {
> + sessionId = null;
> + }
> + sessionId = getRequestedSessionId();
> + }
> } else {
> - session = manager.createSession(null);
> + sessionId = null;
> }
> + session = manager.createSession(sessionId);
>
> // Creating a new session cookie based on that session
> if (session != null
>
> Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Tue Nov 10 11:55:45 2015
> @@ -814,10 +814,26 @@ public class StandardContext extends Con
>
> private CookieProcessor cookieProcessor;
>
> + private boolean validateClientProvidedNewSessionId = true;
>
> // ----------------------------------------------------- Context Properties
>
> @Override
> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
> + this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
> + }
> +
> + /**
> + * {@inheritDoc}
> + * <p>
> + * The default value for this implementation is {@code true}.
> + */
> + @Override
> + public boolean getValidateClientProvidedNewSessionId() {
> + return validateClientProvidedNewSessionId;
> + }
> +
> + @Override
> public void setCookieProcessor(CookieProcessor cookieProcessor) {
> if (cookieProcessor == null) {
> throw new IllegalArgumentException(
>
> Modified: tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java Tue Nov 10 11:55:45 2015
> @@ -761,4 +761,12 @@ public class FailedContext extends Lifec
>
> @Override
> public CookieProcessor getCookieProcessor() { return null; }
> +
> + @Override
> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
> + //NO-OP
> + }
> +
> + @Override
> + public boolean getValidateClientProvidedNewSessionId() { return false; }
> }
> \ No newline at end of file
>
> Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
> ==============================================================================
> --- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original)
> +++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Nov 10 11:55:45 2015
> @@ -1226,4 +1226,12 @@ public class TesterContext implements Co
>
> @Override
> public CookieProcessor getCookieProcessor() { return null; }
> +
> + @Override
> + public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
> + //NO-OP
> + }
> +
> + @Override
> + public boolean getValidateClientProvidedNewSessionId() { return false; }
> }
This likely needs documentation in manager.xml.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org