svn commit: r1713618 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/core/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/

[markt]

Author: markt
Date: Tue Nov 10 11:55:45 2015
New Revision: 1713618

URL: http://svn.apache.org/viewvc?rev=1713618&view=rev
Log:
Add a new Context option, enabled by default, that enables an additional check 
that a client provided session ID is in use in at least one other web 
application before allowing it to be used as the ID for a new session in the 
current web application.

Modified:
    tomcat/trunk/java/org/apache/catalina/Context.java
    tomcat/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
    tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
    tomcat/trunk/test/org/apache/catalina/core/TesterContext.java

Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Tue Nov 10 11:55:45 2015
@@ -1680,4 +1680,32 @@ public interface Context extends Contain
      * for this Context.
      */
     public CookieProcessor getCookieProcessor();
+
+    /**
+     * When a client provides the ID for a new session, should that ID be
+     * validated? The only use case for using a client provided session ID is 
to
+     * have a common session ID across multiple web applications. Therefore,
+     * any client provided session ID should already exist in another web
+     * application. If this check is enabled, the client provided session ID
+     * will only be used if the session ID exists in at least one other web
+     * application for the current host. Note that the following additional
+     * tests are always applied, irrespective of this setting:
+     * <ul>
+     * <li>The session ID is provided by a cookie</li>
+     * <li>The session cookie has a path of {@code /}</li>
+     * </ul>
+     *
+     * @param validateClientProvidedNewSessionId
+     *          {@code true} if validation should be applied
+     */
+    public void setValidateClientProvidedNewSessionId(boolean 
validateClientProvidedNewSessionId);
+
+    /**
+     * Will client provided session IDs be validated (see {@link
+     * #setValidateClientProvidedNewSessionId(boolean)}) before use?
+     *
+     * @return {@code true} if validation will be applied. Otherwise, {@code
+     *         false}
+     */
+    public boolean getValidateClientProvidedNewSessionId();
 }

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Tue Nov 10 
11:55:45 2015
@@ -65,6 +65,7 @@ import javax.servlet.http.HttpUpgradeHan
 import javax.servlet.http.Part;
 import javax.servlet.http.PushBuilder;
 
+import org.apache.catalina.Container;
 import org.apache.catalina.Context;
 import org.apache.catalina.Globals;
 import org.apache.catalina.Host;
@@ -2827,16 +2828,49 @@ public class Request implements HttpServ
                     sm.getString("coyoteRequest.sessionCreateCommitted"));
         }
 
-        // Attempt to reuse session id if one was submitted in a cookie
-        // Do not reuse the session id if it is from a URL, to prevent possible
-        // phishing attacks
-        // Use the SSL session ID if one is present.
-        if (("/".equals(context.getSessionCookiePath())
-                && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
-            session = manager.createSession(getRequestedSessionId());
+        // Re-use session IDs provided by the client in very limited
+        // circumstances.
+        String sessionId = getRequestedSessionId();
+        if (requestedSessionSSL) {
+            // If the session ID has been obtained from the SSL handshake then
+            // use it.
+        } else if (("/".equals(context.getSessionCookiePath())
+                && isRequestedSessionIdFromCookie())) {
+            /* This is the common(ish) use case: using the same session ID with
+             * multiple web applications on the same host. Typically this is
+             * used by Portlet implementations. It only works if sessions are
+             * tracked via cookies. The cookie must have a path of "/" else it
+             * won't be provided to for requests to all web applications.
+             *
+             * Any session ID provided by the client should be for a session
+             * that already exists somewhere on the host. Check if the context
+             * is configured for this to be confirmed.
+             */
+            if (context.getValidateClientProvidedNewSessionId()) {
+                boolean found = false;
+                for (Container container : getHost().findChildren()) {
+                    Manager m = ((Context) container).getManager();
+                    if (m != null) {
+                        try {
+                            if (m.findSession(sessionId) != null) {
+                                found = true;
+                                break;
+                            }
+                        } catch (IOException e) {
+                            // Ignore. Problems with this manager will be
+                            // handled elsewhere.
+                        }
+                    }
+                }
+                if (!found) {
+                    sessionId = null;
+                }
+                sessionId = getRequestedSessionId();
+            }
         } else {
-            session = manager.createSession(null);
+            sessionId = null;
         }
+        session = manager.createSession(sessionId);
 
         // Creating a new session cookie based on that session
         if (session != null

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Tue Nov 10 
11:55:45 2015
@@ -814,10 +814,26 @@ public class StandardContext extends Con
 
     private CookieProcessor cookieProcessor;
 
+    private boolean validateClientProvidedNewSessionId = true;
 
     // ----------------------------------------------------- Context Properties
 
     @Override
+    public void setValidateClientProvidedNewSessionId(boolean 
validateClientProvidedNewSessionId) {
+        this.validateClientProvidedNewSessionId = 
validateClientProvidedNewSessionId;
+    }
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code true}.
+     */
+    @Override
+    public boolean getValidateClientProvidedNewSessionId() {
+        return validateClientProvidedNewSessionId;
+    }
+
+    @Override
     public void setCookieProcessor(CookieProcessor cookieProcessor) {
         if (cookieProcessor == null) {
             throw new IllegalArgumentException(

Modified: tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java Tue Nov 10 
11:55:45 2015
@@ -761,4 +761,12 @@ public class FailedContext extends Lifec
 
     @Override
     public CookieProcessor getCookieProcessor() { return null; }
+
+    @Override
+    public void setValidateClientProvidedNewSessionId(boolean 
validateClientProvidedNewSessionId) {
+        //NO-OP
+    }
+
+    @Override
+    public boolean getValidateClientProvidedNewSessionId() { return false; }
 }
\ No newline at end of file

Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original)
+++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Nov 10 
11:55:45 2015
@@ -1226,4 +1226,12 @@ public class TesterContext implements Co
 
     @Override
     public CookieProcessor getCookieProcessor() { return null; }
+
+    @Override
+    public void setValidateClientProvidedNewSessionId(boolean 
validateClientProvidedNewSessionId) {
+        //NO-OP
+    }
+
+    @Override
+    public boolean getValidateClientProvidedNewSessionId() { return false; }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org