//
// ========================================================================
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.session;
import java.security.SecureRandom;
import java.util.HashSet;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import javax.servlet.http.HttpServletRequest;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.SessionIdManager;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedObject;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
DefaultSessionIdManager
Manages session ids to ensure each session id within a context is unique, and that
session ids can be shared across contexts (but not session contents).
There is only 1 session id manager per Server instance.
Runs a HouseKeeper thread to periodically check for expired Sessions.
See Also: - HouseKeeper
/**
* DefaultSessionIdManager
*
* Manages session ids to ensure each session id within a context is unique, and that
* session ids can be shared across contexts (but not session contents).
*
* There is only 1 session id manager per Server instance.
*
* Runs a HouseKeeper thread to periodically check for expired Sessions.
*
* @see HouseKeeper
*/
@ManagedObject
public class DefaultSessionIdManager extends ContainerLifeCycle implements SessionIdManager
{
private static final Logger LOG = Log.getLogger("org.eclipse.jetty.server.session");
public static final String __NEW_SESSION_ID = "org.eclipse.jetty.server.newSessionId";
protected static final AtomicLong COUNTER = new AtomicLong();
protected Random _random;
protected boolean _weakRandom;
protected String _workerName;
protected String _workerAttr;
protected long _reseed = 100000L;
protected Server _server;
protected HouseKeeper _houseKeeper;
protected boolean _ownHouseKeeper;
Params: - server – the server associated with the id manager
/**
* @param server the server associated with the id manager
*/
public DefaultSessionIdManager(Server server)
{
_server = server;
}
Params: - server – the server associated with the id manager
- random – a random number generator to use for ids
/**
* @param server the server associated with the id manager
* @param random a random number generator to use for ids
*/
public DefaultSessionIdManager(Server server, Random random)
{
this(server);
_random = random;
}
Params: - server – the server associated with this id manager
/**
* @param server the server associated with this id manager
*/
public void setServer(Server server)
{
_server = server;
}
Returns: the server associated with this id manager
/**
* @return the server associated with this id manager
*/
public Server getServer()
{
return _server;
}
Params: - houseKeeper – the housekeeper
/**
* @param houseKeeper the housekeeper
*/
@Override
public void setSessionHouseKeeper(HouseKeeper houseKeeper)
{
updateBean(_houseKeeper, houseKeeper);
_houseKeeper = houseKeeper;
_houseKeeper.setSessionIdManager(this);
}
Returns: the housekeeper
/**
* @return the housekeeper
*/
@Override
public HouseKeeper getSessionHouseKeeper()
{
return _houseKeeper;
}
Get the workname. If set, the workername is dot appended to the session
ID and can be used to assist session affinity in a load balancer.
Returns: name or null
/**
* Get the workname. If set, the workername is dot appended to the session
* ID and can be used to assist session affinity in a load balancer.
*
* @return name or null
*/
@Override
@ManagedAttribute(value = "unique name for this node", readonly = true)
public String getWorkerName()
{
return _workerName;
}
Set the workername. If set, the workername is dot appended to the session
ID and can be used to assist session affinity in a load balancer.
A worker name starting with $ is used as a request attribute name to
lookup the worker name that can be dynamically set by a request
Customizer.
Params: - workerName – the name of the worker, if null it is coerced to empty string
/**
* Set the workername. If set, the workername is dot appended to the session
* ID and can be used to assist session affinity in a load balancer.
* A worker name starting with $ is used as a request attribute name to
* lookup the worker name that can be dynamically set by a request
* Customizer.
*
* @param workerName the name of the worker, if null it is coerced to empty string
*/
public void setWorkerName(String workerName)
{
if (isRunning())
throw new IllegalStateException(getState());
if (workerName == null)
_workerName = "";
else
{
if (workerName.contains("."))
throw new IllegalArgumentException("Name cannot contain '.'");
_workerName = workerName;
}
}
Returns: the random number generator
/**
* @return the random number generator
*/
public Random getRandom()
{
return _random;
}
Params: - random – a random number generator for generating ids
/**
* @param random a random number generator for generating ids
*/
public synchronized void setRandom(Random random)
{
_random = random;
_weakRandom = false;
}
Returns: the reseed probability
/**
* @return the reseed probability
*/
public long getReseed()
{
return _reseed;
}
Set the reseed probability.
Params: - reseed – If non zero then when a random long modulo the reseed value == 1, the
SecureRandom
will be reseeded.
/**
* Set the reseed probability.
*
* @param reseed If non zero then when a random long modulo the reseed value == 1, the {@link SecureRandom} will be reseeded.
*/
public void setReseed(long reseed)
{
_reseed = reseed;
}
Create a new session id if necessary.
/**
* Create a new session id if necessary.
*/
@Override
public String newSessionId(HttpServletRequest request, long created)
{
if (request == null)
return newSessionId(created);
// A requested session ID can only be used if it is in use already.
String requestedId = request.getRequestedSessionId();
if (requestedId != null)
{
String clusterId = getId(requestedId);
if (isIdInUse(clusterId))
return clusterId;
}
// Else reuse any new session ID already defined for this request.
String newId = (String)request.getAttribute(__NEW_SESSION_ID);
if (newId != null && isIdInUse(newId))
return newId;
// pick a new unique ID!
String id = newSessionId(request.hashCode());
request.setAttribute(__NEW_SESSION_ID, id);
return id;
}
Params: - seedTerm – the seed for RNG
Returns: a new unique session id
/**
* @param seedTerm the seed for RNG
* @return a new unique session id
*/
public String newSessionId(long seedTerm)
{
// pick a new unique ID!
String id = null;
synchronized (_random)
{
while (id == null || id.length() == 0)
{
long r0 = _weakRandom
? (hashCode() ^ Runtime.getRuntime().freeMemory() ^ _random.nextInt() ^ ((seedTerm) << 32))
: _random.nextLong();
if (r0 < 0)
r0 = -r0;
// random chance to reseed
if (_reseed > 0 && (r0 % _reseed) == 1L)
{
if (LOG.isDebugEnabled())
LOG.debug("Reseeding {}", this);
if (_random instanceof SecureRandom)
{
SecureRandom secure = (SecureRandom)_random;
secure.setSeed(secure.generateSeed(8));
}
else
{
_random.setSeed(_random.nextLong() ^ System.currentTimeMillis() ^ seedTerm ^ Runtime.getRuntime().freeMemory());
}
}
long r1 = _weakRandom
? (hashCode() ^ Runtime.getRuntime().freeMemory() ^ _random.nextInt() ^ ((seedTerm) << 32))
: _random.nextLong();
if (r1 < 0)
r1 = -r1;
id = Long.toString(r0, 36) + Long.toString(r1, 36);
//add in the id of the node to ensure unique id across cluster
//NOTE this is different to the node suffix which denotes which node the request was received on
if (!StringUtil.isBlank(_workerName))
id = _workerName + id;
id = id + Long.toString(COUNTER.getAndIncrement());
}
}
return id;
}
See Also: - isIdInUse.isIdInUse(String)
/**
* @see org.eclipse.jetty.server.SessionIdManager#isIdInUse(java.lang.String)
*/
@Override
public boolean isIdInUse(String id)
{
if (id == null)
return false;
boolean inUse = false;
if (LOG.isDebugEnabled())
LOG.debug("Checking {} is in use by at least one context", id);
try
{
for (SessionHandler manager : getSessionHandlers())
{
if (manager.isIdInUse(id))
{
if (LOG.isDebugEnabled())
LOG.debug("Context {} reports id in use", manager);
inUse = true;
break;
}
}
if (LOG.isDebugEnabled())
LOG.debug("Checked {}, in use:", id, inUse);
return inUse;
}
catch (Exception e)
{
LOG.warn("Problem checking if id {} is in use", id, e);
return false;
}
}
See Also: - doStart.doStart()
/**
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
*/
@Override
protected void doStart() throws Exception
{
if (_server == null)
throw new IllegalStateException("No Server for SessionIdManager");
initRandom();
if (_workerName == null)
{
String inst = System.getenv("JETTY_WORKER_INSTANCE");
_workerName = "node" + (inst == null ? "0" : inst);
}
LOG.info("DefaultSessionIdManager workerName={}", _workerName);
_workerAttr = (_workerName != null && _workerName.startsWith("$")) ? _workerName.substring(1) : null;
if (_houseKeeper == null)
{
LOG.info("No SessionScavenger set, using defaults");
_ownHouseKeeper = true;
_houseKeeper = new HouseKeeper();
_houseKeeper.setSessionIdManager(this);
addBean(_houseKeeper, true);
}
_houseKeeper.start();
}
See Also: - doStop.doStop()
/**
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStop()
*/
@Override
protected void doStop() throws Exception
{
_houseKeeper.stop();
if (_ownHouseKeeper)
{
_houseKeeper = null;
}
_random = null;
}
Set up a random number generator for the sessionids.
By preference, use a SecureRandom but allow to be injected.
/**
* Set up a random number generator for the sessionids.
*
* By preference, use a SecureRandom but allow to be injected.
*/
public void initRandom()
{
if (_random == null)
{
try
{
_random = new SecureRandom();
}
catch (Exception e)
{
LOG.warn("Could not generate SecureRandom for session-id randomness", e);
_random = new Random();
_weakRandom = true;
}
}
else
_random.setSeed(_random.nextLong() ^ System.currentTimeMillis() ^ hashCode() ^ Runtime.getRuntime().freeMemory());
}
Get the session ID with any worker ID.
Params: - clusterId – the cluster id
- request – the request
Returns: sessionId plus any worker ID.
/**
* Get the session ID with any worker ID.
*
* @param clusterId the cluster id
* @param request the request
* @return sessionId plus any worker ID.
*/
@Override
public String getExtendedId(String clusterId, HttpServletRequest request)
{
if (!StringUtil.isBlank(_workerName))
{
if (_workerAttr == null)
return clusterId + '.' + _workerName;
String worker = (String)request.getAttribute(_workerAttr);
if (worker != null)
return clusterId + '.' + worker;
}
return clusterId;
}
Get the session ID without any worker ID.
Params: - extendedId – the session id with the worker extension
Returns: sessionId without any worker ID.
/**
* Get the session ID without any worker ID.
*
* @param extendedId the session id with the worker extension
* @return sessionId without any worker ID.
*/
@Override
public String getId(String extendedId)
{
int dot = extendedId.lastIndexOf('.');
return (dot > 0) ? extendedId.substring(0, dot) : extendedId;
}
Remove an id from use by telling all contexts to remove a session with this id.
See Also: - expireAll.expireAll(String)
/**
* Remove an id from use by telling all contexts to remove a session with this id.
*
* @see org.eclipse.jetty.server.SessionIdManager#expireAll(java.lang.String)
*/
@Override
public void expireAll(String id)
{
if (LOG.isDebugEnabled())
LOG.debug("Expiring {}", id);
for (SessionHandler manager : getSessionHandlers())
{
manager.invalidate(id);
}
}
@Override
public void invalidateAll(String id)
{
//tell all contexts that may have a session object with this id to
//get rid of them
for (SessionHandler manager : getSessionHandlers())
{
manager.invalidate(id);
}
}
Generate a new id for a session and update across
all SessionManagers.
/**
* Generate a new id for a session and update across
* all SessionManagers.
*/
@Override
public String renewSessionId(String oldClusterId, String oldNodeId, HttpServletRequest request)
{
//generate a new id
String newClusterId = newSessionId(request.hashCode());
//TODO how to handle request for old id whilst id change is happening?
//tell all contexts to update the id
for (SessionHandler manager : getSessionHandlers())
{
manager.renewSessionId(oldClusterId, oldNodeId, newClusterId, getExtendedId(newClusterId, request));
}
return newClusterId;
}
Get SessionManager for every context.
Returns: all session managers
/**
* Get SessionManager for every context.
*
* @return all session managers
*/
@Override
public Set<SessionHandler> getSessionHandlers()
{
Set<SessionHandler> handlers = new HashSet<>();
Handler[] tmp = _server.getChildHandlersByClass(SessionHandler.class);
if (tmp != null)
{
for (Handler h : tmp)
{
handlers.add((SessionHandler)h);
}
}
return handlers;
}
See Also: - toString.toString()
/**
* @see java.lang.Object#toString()
*/
@Override
public String toString()
{
return String.format("%s[worker=%s]", super.toString(), _workerName);
}
}