VIVO-246 Add a filter to limit the lifetime of trivial sessions.
This commit is contained in:
jeb228
parent
09f16809fd
commit
7d40f99158
4 changed files with 97 additions and 4 deletions
|
|
@ -185,6 +185,15 @@
|
|||
<!-- in 2.4 spec, filter chain order is first by filter-mapping <url-pattern> order in web.xml,
|
||||
then filter-mapping <servlet-name> order in web.xml -->
|
||||
|
||||
<filter>
|
||||
<filter-name>Session Timeout Limiting Filter</filter-name>
|
||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.SessionTimeoutLimitingFilter</filter-class>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>Session Timeout Limiting Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>Character Set Encoding Filter</filter-name>
|
||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.CharsetEncodingFilter</filter-class>
|
||||
|
|
@ -193,6 +202,7 @@
|
|||
<filter-name>Character Set Encoding Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>JSession Strip Filter</filter-name>
|
||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.JSessionStripFilter</filter-class>
|
||||
|
|
@ -210,6 +220,7 @@
|
|||
<filter-name>URL Rewriter Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>Portal Picker Filter</filter-name>
|
||||
<filter-class>edu.cornell.mannlib.vitro.webapp.filters.PortalPickerFilter</filter-class>
|
||||
|
|
|
|||
|
|
@ -39,6 +39,12 @@ import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginEvent;
|
|||
import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginLogoutEvent;
|
||||
|
||||
public class Authenticate extends FreemarkerHttpServlet {
|
||||
/** Maximum inactive interval for a ordinary logged in user session, in seconds. */
|
||||
public static final int LOGGED_IN_TIMEOUT_INTERVAL = 300;
|
||||
|
||||
/** Maximum inactive interval for a editor (or better) session, in seconds. */
|
||||
public static final int PRIVILEGED_TIMEOUT_INTERVAL = 32000;
|
||||
|
||||
private static final Log log = LogFactory.getLog(Authenticate.class
|
||||
.getName());
|
||||
|
||||
|
|
@ -301,10 +307,10 @@ public class Authenticate extends FreemarkerHttpServlet {
|
|||
getUserDao(request).updateUser(user);
|
||||
|
||||
// Set the timeout limit on the session - editors, etc, get more.
|
||||
session.setMaxInactiveInterval(300); // seconds, not milliseconds
|
||||
session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL); // seconds, not milliseconds
|
||||
try {
|
||||
if ((int) Integer.decode(lfb.getLoginRole()) > 1) {
|
||||
session.setMaxInactiveInterval(32000);
|
||||
session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
|
||||
}
|
||||
} catch (NumberFormatException e) {
|
||||
// No problem - leave it at the default.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,75 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.filters;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginFormBean;
|
||||
|
||||
/**
|
||||
* Manipulate the maximum inactive interval on sessions.
|
||||
* <ul>
|
||||
* <li>Logged in sessions and self-editing sessions already have the correct
|
||||
* interval set.</li>
|
||||
* <li>Other sessions are trivial, and should have a short interval.</li>
|
||||
* </ul>
|
||||
*/
|
||||
public class SessionTimeoutLimitingFilter implements Filter {
|
||||
/** Maximum inactive interval for a trivial session object, in seconds. */
|
||||
private static final int TRIVIAL_SESSION_LIFETIME = 120;
|
||||
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
}
|
||||
|
||||
public void doFilter(ServletRequest servletRequest,
|
||||
ServletResponse servletResponse, FilterChain filterChain)
|
||||
throws IOException, ServletException {
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
|
||||
limitTrivialSession(servletRequest);
|
||||
}
|
||||
|
||||
/**
|
||||
* If this request has a trivial session object -- that is, the user is not
|
||||
* logged in and not self-editing -- then give it a short expiration
|
||||
* interval.
|
||||
*/
|
||||
private void limitTrivialSession(ServletRequest servletRequest) {
|
||||
if (!(servletRequest instanceof HttpServletRequest)) {
|
||||
return;
|
||||
}
|
||||
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
||||
|
||||
// If no session object, nothing to do.
|
||||
HttpSession session = request.getSession(false);
|
||||
if (session == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
// If logged in, leave it alone.
|
||||
Object loginBean = session.getAttribute("loginHandler");
|
||||
if (loginBean instanceof LoginFormBean) {
|
||||
return;
|
||||
}
|
||||
|
||||
// If self-editing, leave it alone.
|
||||
if (VitroRequestPrep.isSelfEditing(request)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Otherwise, it's trivial, so shorten its life-span.
|
||||
session.setMaxInactiveInterval(TRIVIAL_SESSION_LIFETIME);
|
||||
}
|
||||
|
||||
public void destroy() {
|
||||
}
|
||||
}
|
||||
|
|
@ -10,7 +10,6 @@ import javax.servlet.Filter;
|
|||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextListener;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
|
|
@ -22,9 +21,10 @@ import org.apache.commons.logging.Log;
|
|||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.PortalDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering;
|
||||
|
|
@ -402,6 +402,7 @@ public class VitroRequestPrep implements Filter {
|
|||
|
||||
public static void forceToSelfEditing(HttpServletRequest request){
|
||||
HttpSession sess = request.getSession(true);
|
||||
sess.setMaxInactiveInterval(Authenticate.LOGGED_IN_TIMEOUT_INTERVAL);
|
||||
sess.setAttribute("inSelfEditing","true");
|
||||
}
|
||||
public static void forceOutOfSelfEditing(HttpServletRequest request){
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue