VIVO-246 Add a filter to limit the lifetime of trivial sessions.
This commit is contained in:
jeb228
parent
09f16809fd
commit
7d40f99158
4 changed files with 97 additions and 4 deletions
|
|
@ -185,6 +185,15 @@
|
||||||
<!-- in 2.4 spec, filter chain order is first by filter-mapping <url-pattern> order in web.xml,
|
<!-- in 2.4 spec, filter chain order is first by filter-mapping <url-pattern> order in web.xml,
|
||||||
then filter-mapping <servlet-name> order in web.xml -->
|
then filter-mapping <servlet-name> order in web.xml -->
|
||||||
|
|
||||||
|
<filter>
|
||||||
|
<filter-name>Session Timeout Limiting Filter</filter-name>
|
||||||
|
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.SessionTimeoutLimitingFilter</filter-class>
|
||||||
|
</filter>
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>Session Timeout Limiting Filter</filter-name>
|
||||||
|
<url-pattern>/*</url-pattern>
|
||||||
|
</filter-mapping>
|
||||||
|
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>Character Set Encoding Filter</filter-name>
|
<filter-name>Character Set Encoding Filter</filter-name>
|
||||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.CharsetEncodingFilter</filter-class>
|
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.CharsetEncodingFilter</filter-class>
|
||||||
|
|
@ -193,6 +202,7 @@
|
||||||
<filter-name>Character Set Encoding Filter</filter-name>
|
<filter-name>Character Set Encoding Filter</filter-name>
|
||||||
<url-pattern>/*</url-pattern>
|
<url-pattern>/*</url-pattern>
|
||||||
</filter-mapping>
|
</filter-mapping>
|
||||||
|
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>JSession Strip Filter</filter-name>
|
<filter-name>JSession Strip Filter</filter-name>
|
||||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.JSessionStripFilter</filter-class>
|
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.JSessionStripFilter</filter-class>
|
||||||
|
|
@ -210,6 +220,7 @@
|
||||||
<filter-name>URL Rewriter Filter</filter-name>
|
<filter-name>URL Rewriter Filter</filter-name>
|
||||||
<url-pattern>/*</url-pattern>
|
<url-pattern>/*</url-pattern>
|
||||||
</filter-mapping>
|
</filter-mapping>
|
||||||
|
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>Portal Picker Filter</filter-name>
|
<filter-name>Portal Picker Filter</filter-name>
|
||||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.PortalPickerFilter</filter-class>
|
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.PortalPickerFilter</filter-class>
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,12 @@ import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginEvent;
|
||||||
import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginLogoutEvent;
|
import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginLogoutEvent;
|
||||||
|
|
||||||
public class Authenticate extends FreemarkerHttpServlet {
|
public class Authenticate extends FreemarkerHttpServlet {
|
||||||
|
/** Maximum inactive interval for a ordinary logged in user session, in seconds. */
|
||||||
|
public static final int LOGGED_IN_TIMEOUT_INTERVAL = 300;
|
||||||
|
|
||||||
|
/** Maximum inactive interval for a editor (or better) session, in seconds. */
|
||||||
|
public static final int PRIVILEGED_TIMEOUT_INTERVAL = 32000;
|
||||||
|
|
||||||
private static final Log log = LogFactory.getLog(Authenticate.class
|
private static final Log log = LogFactory.getLog(Authenticate.class
|
||||||
.getName());
|
.getName());
|
||||||
|
|
||||||
|
|
@ -301,10 +307,10 @@ public class Authenticate extends FreemarkerHttpServlet {
|
||||||
getUserDao(request).updateUser(user);
|
getUserDao(request).updateUser(user);
|
||||||
|
|
||||||
// Set the timeout limit on the session - editors, etc, get more.
|
// Set the timeout limit on the session - editors, etc, get more.
|
||||||
session.setMaxInactiveInterval(300); // seconds, not milliseconds
|
session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL); // seconds, not milliseconds
|
||||||
try {
|
try {
|
||||||
if ((int) Integer.decode(lfb.getLoginRole()) > 1) {
|
if ((int) Integer.decode(lfb.getLoginRole()) > 1) {
|
||||||
session.setMaxInactiveInterval(32000);
|
session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
|
||||||
}
|
}
|
||||||
} catch (NumberFormatException e) {
|
} catch (NumberFormatException e) {
|
||||||
// No problem - leave it at the default.
|
// No problem - leave it at the default.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,75 @@
|
||||||
|
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||||
|
|
||||||
|
package edu.cornell.mannlib.vitro.webapp.filters;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.Filter;
|
||||||
|
import javax.servlet.FilterChain;
|
||||||
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpSession;
|
||||||
|
|
||||||
|
import edu.cornell.mannlib.vedit.beans.LoginFormBean;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Manipulate the maximum inactive interval on sessions.
|
||||||
|
* <ul>
|
||||||
|
* <li>Logged in sessions and self-editing sessions already have the correct
|
||||||
|
* interval set.</li>
|
||||||
|
* <li>Other sessions are trivial, and should have a short interval.</li>
|
||||||
|
* </ul>
|
||||||
|
*/
|
||||||
|
public class SessionTimeoutLimitingFilter implements Filter {
|
||||||
|
/** Maximum inactive interval for a trivial session object, in seconds. */
|
||||||
|
private static final int TRIVIAL_SESSION_LIFETIME = 120;
|
||||||
|
|
||||||
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
}
|
||||||
|
|
||||||
|
public void doFilter(ServletRequest servletRequest,
|
||||||
|
ServletResponse servletResponse, FilterChain filterChain)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
filterChain.doFilter(servletRequest, servletResponse);
|
||||||
|
|
||||||
|
limitTrivialSession(servletRequest);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If this request has a trivial session object -- that is, the user is not
|
||||||
|
* logged in and not self-editing -- then give it a short expiration
|
||||||
|
* interval.
|
||||||
|
*/
|
||||||
|
private void limitTrivialSession(ServletRequest servletRequest) {
|
||||||
|
if (!(servletRequest instanceof HttpServletRequest)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
||||||
|
|
||||||
|
// If no session object, nothing to do.
|
||||||
|
HttpSession session = request.getSession(false);
|
||||||
|
if (session == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If logged in, leave it alone.
|
||||||
|
Object loginBean = session.getAttribute("loginHandler");
|
||||||
|
if (loginBean instanceof LoginFormBean) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If self-editing, leave it alone.
|
||||||
|
if (VitroRequestPrep.isSelfEditing(request)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise, it's trivial, so shorten its life-span.
|
||||||
|
session.setMaxInactiveInterval(TRIVIAL_SESSION_LIFETIME);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void destroy() {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -10,7 +10,6 @@ import javax.servlet.Filter;
|
||||||
import javax.servlet.FilterChain;
|
import javax.servlet.FilterChain;
|
||||||
import javax.servlet.FilterConfig;
|
import javax.servlet.FilterConfig;
|
||||||
import javax.servlet.ServletContext;
|
import javax.servlet.ServletContext;
|
||||||
import javax.servlet.ServletContextListener;
|
|
||||||
import javax.servlet.ServletException;
|
import javax.servlet.ServletException;
|
||||||
import javax.servlet.ServletRequest;
|
import javax.servlet.ServletRequest;
|
||||||
import javax.servlet.ServletResponse;
|
import javax.servlet.ServletResponse;
|
||||||
|
|
@ -22,9 +21,10 @@ import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
|
import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
|
||||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
|
||||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||||
|
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||||
|
import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate;
|
||||||
import edu.cornell.mannlib.vitro.webapp.dao.PortalDao;
|
import edu.cornell.mannlib.vitro.webapp.dao.PortalDao;
|
||||||
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
||||||
import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering;
|
import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering;
|
||||||
|
|
@ -402,6 +402,7 @@ public class VitroRequestPrep implements Filter {
|
||||||
|
|
||||||
public static void forceToSelfEditing(HttpServletRequest request){
|
public static void forceToSelfEditing(HttpServletRequest request){
|
||||||
HttpSession sess = request.getSession(true);
|
HttpSession sess = request.getSession(true);
|
||||||
|
sess.setMaxInactiveInterval(Authenticate.LOGGED_IN_TIMEOUT_INTERVAL);
|
||||||
sess.setAttribute("inSelfEditing","true");
|
sess.setAttribute("inSelfEditing","true");
|
||||||
}
|
}
|
||||||
public static void forceOutOfSelfEditing(HttpServletRequest request){
|
public static void forceOutOfSelfEditing(HttpServletRequest request){
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue