On 11/11/2015 20:15, Christopher Schultz wrote: > Mark, > > On 11/10/15 6:55 AM, ma...@apache.org wrote: >> Author: markt >> Date: Tue Nov 10 11:55:45 2015 >> New Revision: 1713618 >> >> URL: http://svn.apache.org/viewvc?rev=1713618&view=rev >> Log: >> Add a new Context option, enabled by default, that enables an additional >> check that a client provided session ID is in use in at least one other web >> application before allowing it to be used as the ID for a new session in the >> current web application. >> >> Modified: >> tomcat/trunk/java/org/apache/catalina/Context.java >> tomcat/trunk/java/org/apache/catalina/connector/Request.java >> tomcat/trunk/java/org/apache/catalina/core/StandardContext.java >> tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java >> tomcat/trunk/test/org/apache/catalina/core/TesterContext.java >> >> Modified: tomcat/trunk/java/org/apache/catalina/Context.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1713618&r1=1713617&r2=1713618&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/Context.java (original) >> +++ tomcat/trunk/java/org/apache/catalina/Context.java Tue Nov 10 11:55:45 >> 2015 >> @@ -1680,4 +1680,32 @@ public interface Context extends Contain >> * for this Context. >> */ >> public CookieProcessor getCookieProcessor(); >> + >> + /** >> + * When a client provides the ID for a new session, should that ID be >> + * validated? The only use case for using a client provided session ID >> is to >> + * have a common session ID across multiple web applications. Therefore, >> + * any client provided session ID should already exist in another web >> + * application. If this check is enabled, the client provided session ID >> + * will only be used if the session ID exists in at least one other web >> + * application for the current host. Note that the following additional >> + * tests are always applied, irrespective of this setting: >> + * <ul> >> + * <li>The session ID is provided by a cookie</li> >> + * <li>The session cookie has a path of {@code /}</li> >> + * </ul> >> + * >> + * @param validateClientProvidedNewSessionId >> + * {@code true} if validation should be applied >> + */ >> + public void setValidateClientProvidedNewSessionId(boolean >> validateClientProvidedNewSessionId); >> + >> + /** >> + * Will client provided session IDs be validated (see {@link >> + * #setValidateClientProvidedNewSessionId(boolean)}) before use? >> + * >> + * @return {@code true} if validation will be applied. Otherwise, {@code >> + * false} >> + */ >> + public boolean getValidateClientProvidedNewSessionId(); >> } >> >> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1713618&r1=1713617&r2=1713618&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) >> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Tue Nov 10 >> 11:55:45 2015 >> @@ -65,6 +65,7 @@ import javax.servlet.http.HttpUpgradeHan >> import javax.servlet.http.Part; >> import javax.servlet.http.PushBuilder; >> >> +import org.apache.catalina.Container; >> import org.apache.catalina.Context; >> import org.apache.catalina.Globals; >> import org.apache.catalina.Host; >> @@ -2827,16 +2828,49 @@ public class Request implements HttpServ >> sm.getString("coyoteRequest.sessionCreateCommitted")); >> } >> >> - // Attempt to reuse session id if one was submitted in a cookie >> - // Do not reuse the session id if it is from a URL, to prevent >> possible >> - // phishing attacks >> - // Use the SSL session ID if one is present. >> - if (("/".equals(context.getSessionCookiePath()) >> - && isRequestedSessionIdFromCookie()) || requestedSessionSSL >> ) { >> - session = manager.createSession(getRequestedSessionId()); >> + // Re-use session IDs provided by the client in very limited >> + // circumstances. >> + String sessionId = getRequestedSessionId(); >> + if (requestedSessionSSL) { >> + // If the session ID has been obtained from the SSL handshake >> then >> + // use it. >> + } else if (("/".equals(context.getSessionCookiePath()) >> + && isRequestedSessionIdFromCookie())) { >> + /* This is the common(ish) use case: using the same session ID >> with >> + * multiple web applications on the same host. Typically this is >> + * used by Portlet implementations. It only works if sessions >> are >> + * tracked via cookies. The cookie must have a path of "/" else >> it >> + * won't be provided to for requests to all web applications. >> + * >> + * Any session ID provided by the client should be for a session >> + * that already exists somewhere on the host. Check if the >> context >> + * is configured for this to be confirmed. >> + */ >> + if (context.getValidateClientProvidedNewSessionId()) { >> + boolean found = false; >> + for (Container container : getHost().findChildren()) { >> + Manager m = ((Context) container).getManager(); >> + if (m != null) { >> + try { >> + if (m.findSession(sessionId) != null) { >> + found = true; >> + break; >> + } >> + } catch (IOException e) { >> + // Ignore. Problems with this manager will be >> + // handled elsewhere. >> + } >> + } >> + } >> + if (!found) { >> + sessionId = null; >> + } >> + sessionId = getRequestedSessionId(); >> + } >> } else { >> - session = manager.createSession(null); >> + sessionId = null; >> } >> + session = manager.createSession(sessionId); >> >> // Creating a new session cookie based on that session >> if (session != null >> >> Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java >> (original) >> +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Tue Nov >> 10 11:55:45 2015 >> @@ -814,10 +814,26 @@ public class StandardContext extends Con >> >> private CookieProcessor cookieProcessor; >> >> + private boolean validateClientProvidedNewSessionId = true; >> >> // ----------------------------------------------------- Context >> Properties >> >> @Override >> + public void setValidateClientProvidedNewSessionId(boolean >> validateClientProvidedNewSessionId) { >> + this.validateClientProvidedNewSessionId = >> validateClientProvidedNewSessionId; >> + } >> + >> + /** >> + * {@inheritDoc} >> + * <p> >> + * The default value for this implementation is {@code true}. >> + */ >> + @Override >> + public boolean getValidateClientProvidedNewSessionId() { >> + return validateClientProvidedNewSessionId; >> + } >> + >> + @Override >> public void setCookieProcessor(CookieProcessor cookieProcessor) { >> if (cookieProcessor == null) { >> throw new IllegalArgumentException( >> >> Modified: tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java >> (original) >> +++ tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java Tue Nov >> 10 11:55:45 2015 >> @@ -761,4 +761,12 @@ public class FailedContext extends Lifec >> >> @Override >> public CookieProcessor getCookieProcessor() { return null; } >> + >> + @Override >> + public void setValidateClientProvidedNewSessionId(boolean >> validateClientProvidedNewSessionId) { >> + //NO-OP >> + } >> + >> + @Override >> + public boolean getValidateClientProvidedNewSessionId() { return false; } >> } >> \ No newline at end of file >> >> Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1713618&r1=1713617&r2=1713618&view=diff >> ============================================================================== >> --- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original) >> +++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Nov 10 >> 11:55:45 2015 >> @@ -1226,4 +1226,12 @@ public class TesterContext implements Co >> >> @Override >> public CookieProcessor getCookieProcessor() { return null; } >> + >> + @Override >> + public void setValidateClientProvidedNewSessionId(boolean >> validateClientProvidedNewSessionId) { >> + //NO-OP >> + } >> + >> + @Override >> + public boolean getValidateClientProvidedNewSessionId() { return false; } >> } > > This likely needs documentation in manager.xml.
context.xml, but yes. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
