Listing
....
public class SessionFixationProtectionValve extends ValveBase { ....
public void invoke(Request request, Response response) throws IOException,
ServletException { ....
// Session bestimmen
Session session = request.getSessionInternal( false);
if (session != null) { // Standard-URI für Container Managed Security
if (request.getDecodedRequestURI().endsWith("/j_security_check")) { // schon eine Session vorhanden
HttpSession httpSession = request.getSession( false);
if (httpSession != null) { HashMap<String, Object> attributes = new HashMap<String,Object>();
// alle Attribute kopieren
Enumeration<String> enames = httpSession.getAttributeNames();
while (enames.hasMoreElements()) { String name = enames.nextElement();
if (!name.equals("JSESSIONID")) attributes.put(name, httpSession.getAttribute( name));
}
// alle Notizen kopieren
HashMap<String, Object> notes = new HashMap<String,Object>();
Iterator<String> nameit = session.getNoteNames();
while (nameit.hasNext()) { String name = nameit.next();
notes.put( name, session.getNote( name));
}
// Session ungültig machen
httpSession.invalidate();
session.expire();
session.recycle();
// neue Session anlegen
httpSession = request.getSession( true);
// Attribute und Notizen zurückkopieren
for (Map.Entry<String,Object> et : attributes.entrySet()) { httpSession.setAttribute( et.getKey(), et.getValue());
}
session = request.getSessionInternal( true);
for (Map.Entry<String, Object> et : notes.entrySet()) { session.setNote( et.getKey(), et.getValue());
}
}
}
}
getNext().invoke(request, response);
}
...
}
Kommentieren (1 Kommentar)
