org.eclipse.jetty.server.session

Class AbstractSessionManager

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.server.session.AbstractSessionManager

All Implemented Interfaces:

SessionManager, LifeCycle

Direct Known Subclasses:

HashSessionManager, JDBCSessionManager

public abstract class AbstractSessionManager
extends AbstractLifeCycle
implements SessionManager

An Abstract implementation of SessionManager. The partial implementation of SessionManager interface provides the majority of the handling required to implement a SessionManager. Concrete implementations of SessionManager based on AbstractSessionManager need only implement the newSession method to return a specialised version of the Session inner class that provides an attribute Map.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	AbstractSessionManager.SessionIf Interface that any session wrapper should implement so that SessionManager may access the Jetty session implementation.

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields

Modifier and Type	Field and Description
Set<javax.servlet.SessionTrackingMode>	__defaultSessionTrackingModes
static int	__distantFuture
protected boolean	_checkingRemoteSessionIdEncoding
protected ContextHandler.Context	_context
protected int	_dftMaxIdleSecs
protected boolean	_httpOnly
protected ClassLoader	_loader
protected int	_maxCookieAge
protected boolean	_nodeIdInSessionId
protected int	_refreshCookieAge
protected boolean	_secureCookies
protected boolean	_secureRequestOnly
protected List<javax.servlet.http.HttpSessionAttributeListener>	_sessionAttributeListeners
protected String	_sessionComment
protected String	_sessionCookie
protected String	_sessionDomain
protected SessionHandler	_sessionHandler
protected SessionIdManager	_sessionIdManager
protected String	_sessionIdPathParameterName
protected String	_sessionIdPathParameterNamePrefix
protected List<javax.servlet.http.HttpSessionListener>	_sessionListeners
protected String	_sessionPath
protected CounterStatistic	_sessionsStats
protected SampleStatistic	_sessionTimeStats
Set<javax.servlet.SessionTrackingMode>	_sessionTrackingModes
static String	SESSION_KNOWN_ONLY_TO_AUTHENTICATED

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

_listeners, FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.server.SessionManager

__CheckRemoteSessionEncoding, __DefaultSessionCookie, __DefaultSessionDomain, __DefaultSessionIdPathParameterName, __MaxAgeProperty, __SessionCookieProperty, __SessionDomainProperty, __SessionIdPathParameterNameProperty, __SessionPathProperty

Constructor Summary

Constructors

Constructor and Description
AbstractSessionManager()

Method Summary

Methods

Modifier and Type	Method and Description
HttpCookie	access(javax.servlet.http.HttpSession session, boolean secure) Called by the SessionHandler when a session is first accessed by a request.
void	addEventListener(EventListener listener) Adds an event listener for session-related events.
protected abstract void	addSession(AbstractSession session)
protected void	addSession(AbstractSession session, boolean created) Add the session Registers the session with this manager and registers the session ID with the sessionIDManager;
void	clearEventListeners() Removes all event listeners for session-related events.
void	complete(javax.servlet.http.HttpSession session) Called by the SessionHandler when a session is last accessed by a request.
void	doSessionAttributeListeners(AbstractSession session, String name, Object old, Object value)
void	doStart()
void	doStop()
String	getClusterId(javax.servlet.http.HttpSession session)
ContextHandler.Context	getContext()
ContextHandler	getContextHandler()
Set<javax.servlet.SessionTrackingMode>	getDefaultSessionTrackingModes()
Set<javax.servlet.SessionTrackingMode>	getEffectiveSessionTrackingModes()
boolean	getHttpOnly()
javax.servlet.http.HttpSession	getHttpSession(String nodeId) Returns the HttpSession with the given session id
SessionIdManager	getIdManager() Deprecated. Use getSessionIdManager()
int	getMaxCookieAge()
int	getMaxInactiveInterval()
int	getMaxSessions() Deprecated.
SessionIdManager	getMetaManager() Deprecated. use getSessionIdManager()
int	getMinSessions() Deprecated. always returns 0. no replacement available.
String	getNodeId(javax.servlet.http.HttpSession session)
int	getRefreshCookieAge()
boolean	getSecureCookies()
abstract AbstractSession	getSession(String idInCluster) Get a known existing session
String	getSessionCookie()
HttpCookie	getSessionCookie(javax.servlet.http.HttpSession session, String contextPath, boolean requestIsSecure) A sessioncookie is marked as secure IFF any of the following conditions are true: SessionCookieConfig.setSecure == true SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS According to SessionCookieConfig javadoc, case 1 can be used when: "...
javax.servlet.SessionCookieConfig	getSessionCookieConfig()
String	getSessionDomain()
SessionHandler	getSessionHandler()
SessionIdManager	getSessionIdManager()
String	getSessionIdPathParameterName()
String	getSessionIdPathParameterNamePrefix()
Map	getSessionMap() Deprecated. Need to review if it is needed.
String	getSessionPath()
int	getSessions()
int	getSessionsMax()
int	getSessionsTotal()
long	getSessionTimeMax()
double	getSessionTimeMean()
double	getSessionTimeStdDev()
long	getSessionTimeTotal()
protected abstract void	invalidateSessions()
boolean	isCheckingRemoteSessionIdEncoding()
boolean	isNodeIdInSessionId()
boolean	isSecureRequestOnly()
boolean	isUsingCookies()
boolean	isUsingURLs()
boolean	isValid(javax.servlet.http.HttpSession session)
javax.servlet.http.HttpSession	newHttpSession(javax.servlet.http.HttpServletRequest request) Create a new HttpSession for a request
protected abstract AbstractSession	newSession(javax.servlet.http.HttpServletRequest request) Create a new session instance
void	removeEventListener(EventListener listener) Removes an event listener for for session-related events.
void	removeSession(AbstractSession session, boolean invalidate) Remove session from manager
void	removeSession(javax.servlet.http.HttpSession session, boolean invalidate) Remove session from manager
protected abstract boolean	removeSession(String idInCluster)
static javax.servlet.http.HttpSession	renewSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession httpSession, boolean authenticated)
void	resetStats() Deprecated.
void	setCheckingRemoteSessionIdEncoding(boolean remote)
void	setHttpOnly(boolean httpOnly)
void	setIdManager(SessionIdManager metaManager) Deprecated. use setSessionIdManager(SessionIdManager)
void	setMaxInactiveInterval(int seconds) Sets the max period of inactivity, after which the session is invalidated, in seconds.
void	setNodeIdInSessionId(boolean nodeIdInSessionId)
void	setRefreshCookieAge(int ageInSeconds)
void	setSecureRequestOnly(boolean secureRequestOnly)
void	setSessionCookie(String cookieName)
void	setSessionHandler(SessionHandler sessionHandler) Sets the SessionHandler.
void	setSessionIdManager(SessionIdManager metaManager) Sets the cross context session id manager
void	setSessionIdPathParameterName(String param) Sets the session id URL path parameter name.
void	setSessionTrackingModes(Set<javax.servlet.SessionTrackingMode> sessionTrackingModes)
void	setUsingCookies(boolean usingCookies)
void	statsReset() Reset statistics values

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

addLifeCycleListener, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop

Field Detail

__defaultSessionTrackingModes

public Set<javax.servlet.SessionTrackingMode> __defaultSessionTrackingModes

SESSION_KNOWN_ONLY_TO_AUTHENTICATED

public static final String SESSION_KNOWN_ONLY_TO_AUTHENTICATED

See Also:

Constant Field Values

__distantFuture

public static final int __distantFuture

See Also:

Constant Field Values

_dftMaxIdleSecs

protected int _dftMaxIdleSecs

_sessionHandler

protected SessionHandler _sessionHandler

_httpOnly

protected boolean _httpOnly

_sessionIdManager

protected SessionIdManager _sessionIdManager

_secureCookies

protected boolean _secureCookies

_secureRequestOnly

protected boolean _secureRequestOnly

_sessionAttributeListeners

protected final List<javax.servlet.http.HttpSessionAttributeListener> _sessionAttributeListeners

_sessionListeners

protected final List<javax.servlet.http.HttpSessionListener> _sessionListeners

_loader

protected ClassLoader _loader

_context

protected ContextHandler.Context _context

_sessionCookie

protected String _sessionCookie

_sessionIdPathParameterName

protected String _sessionIdPathParameterName

_sessionIdPathParameterNamePrefix

protected String _sessionIdPathParameterNamePrefix

_sessionDomain

protected String _sessionDomain

_sessionPath

protected String _sessionPath

_maxCookieAge

protected int _maxCookieAge

_refreshCookieAge

protected int _refreshCookieAge

_nodeIdInSessionId

protected boolean _nodeIdInSessionId

_checkingRemoteSessionIdEncoding

protected boolean _checkingRemoteSessionIdEncoding

_sessionComment

protected String _sessionComment

_sessionTrackingModes

public Set<javax.servlet.SessionTrackingMode> _sessionTrackingModes

_sessionsStats

protected final CounterStatistic _sessionsStats

_sessionTimeStats

protected final SampleStatistic _sessionTimeStats

Constructor Detail

AbstractSessionManager

public AbstractSessionManager()

Method Detail

renewSession

public static javax.servlet.http.HttpSession renewSession(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpSession httpSession,
                                          boolean authenticated)

getContext

public ContextHandler.Context getContext()

getContextHandler

public ContextHandler getContextHandler()

getSessionPath

public String getSessionPath()

getMaxCookieAge

public int getMaxCookieAge()

access

public HttpCookie access(javax.servlet.http.HttpSession session,
                boolean secure)

Description copied from interface: SessionManager

Called by the SessionHandler when a session is first accessed by a request.

Specified by:

access in interface SessionManager

Parameters:

session - the session object

secure - whether the request is secure or not

Returns:

the session cookie. If not null, this cookie should be set on the response to either migrate the session or to refresh a session cookie that may expire.

See Also:

SessionManager.complete(HttpSession)

addEventListener

public void addEventListener(EventListener listener)

Description copied from interface: SessionManager

Adds an event listener for session-related events.

Specified by:

addEventListener in interface SessionManager

Parameters:

listener - the session event listener to add Individual SessionManagers implementations may accept arbitrary listener types, but they are expected to at least handle HttpSessionActivationListener, HttpSessionAttributeListener, HttpSessionBindingListener and HttpSessionListener.

See Also:

SessionManager.removeEventListener(EventListener)

clearEventListeners

public void clearEventListeners()

Description copied from interface: SessionManager

Removes all event listeners for session-related events.

Specified by:

clearEventListeners in interface SessionManager

See Also:

SessionManager.removeEventListener(EventListener)

complete

public void complete(javax.servlet.http.HttpSession session)

Description copied from interface: SessionManager

Called by the SessionHandler when a session is last accessed by a request.

Specified by:

complete in interface SessionManager

Parameters:

session - the session object

See Also:

SessionManager.access(HttpSession, boolean)

doStart

public void doStart()
             throws Exception

Overrides:

doStart in class AbstractLifeCycle

Throws:

Exception

doStop

public void doStop()
            throws Exception

Overrides:

doStop in class AbstractLifeCycle

Throws:

Exception

getHttpOnly

public boolean getHttpOnly()

Specified by:

getHttpOnly in interface SessionManager

Returns:

Returns the httpOnly.

See Also:

HttpCookie.isHttpOnly()

getHttpSession

public javax.servlet.http.HttpSession getHttpSession(String nodeId)

Description copied from interface: SessionManager

Returns the HttpSession with the given session id

Specified by:

getHttpSession in interface SessionManager

Parameters:

nodeId - the session id

Returns:

the HttpSession with the corresponding id or null if no session with the given id exists

getIdManager

public SessionIdManager getIdManager()

Deprecated. Use getSessionIdManager()

Returns:

Returns the metaManager used for cross context session management

getSessionIdManager

public SessionIdManager getSessionIdManager()

Specified by:

getSessionIdManager in interface SessionManager

Returns:

Returns the SessionIdManager used for cross context session management

See Also:

SessionManager.setSessionIdManager(SessionIdManager)

getMaxInactiveInterval

public int getMaxInactiveInterval()

Specified by:

getMaxInactiveInterval in interface SessionManager

Returns:

seconds

See Also:

SessionManager.setMaxInactiveInterval(int)

getMaxSessions

@Deprecated
public int getMaxSessions()

Deprecated.

See Also:

getSessionsMax()

getSessionsMax

public int getSessionsMax()

Returns:

maximum number of sessions

getSessionsTotal

public int getSessionsTotal()

Returns:

total number of sessions

getMetaManager

@Deprecated
public SessionIdManager getMetaManager()

Deprecated. use getSessionIdManager()

Specified by:

getMetaManager in interface SessionManager

Returns:

the cross context session id manager.

getMinSessions

@Deprecated
public int getMinSessions()

Deprecated. always returns 0. no replacement available.

getRefreshCookieAge

public int getRefreshCookieAge()

getSecureCookies

public boolean getSecureCookies()

Returns:

same as SessionCookieConfig.getSecure(). If true, session cookies are ALWAYS marked as secure. If false, a session cookie is ONLY marked as secure if _secureRequestOnly == true and it is a HTTPS request.

isSecureRequestOnly

public boolean isSecureRequestOnly()

Returns:

true if session cookie is to be marked as secure only on HTTPS requests

setSecureRequestOnly

public void setSecureRequestOnly(boolean secureRequestOnly)

getSessionCookie

public String getSessionCookie()

getSessionCookie

public HttpCookie getSessionCookie(javax.servlet.http.HttpSession session,
                          String contextPath,
                          boolean requestIsSecure)

A sessioncookie is marked as secure IFF any of the following conditions are true:

1. SessionCookieConfig.setSecure == true
2. SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS

According to SessionCookieConfig javadoc, case 1 can be used when: "... even though the request that initiated the session came over HTTP, is to support a topology where the web container is front-ended by an SSL offloading load balancer. In this case, the traffic between the client and the load balancer will be over HTTPS, whereas the traffic between the load balancer and the web container will be over HTTP." For case 2, you can use _secureRequestOnly to determine if you want the Servlet Spec 3.0 default behaviour when SessionCookieConfig.setSecure==false, which is: "they shall be marked as secure only if the request that initiated the corresponding session was also secure" The default for _secureRequestOnly is true, which gives the above behaviour. If you set it to false, then a session cookie is NEVER marked as secure, even if the initiating request was secure.

Specified by:

getSessionCookie in interface SessionManager

Parameters:

session - the session to which the cookie should refer.

contextPath - the context to which the cookie should be linked. The client will only send the cookie value when requesting resources under this path.

requestIsSecure - whether the client is accessing the server over a secure protocol (i.e. HTTPS).

Returns:

if this SessionManager uses cookies, then this method will return a new cookie object that should be set on the client in order to link future HTTP requests with the session. If cookies are not in use, this method returns null.

See Also:

SessionManager.getSessionCookie(javax.servlet.http.HttpSession, java.lang.String, boolean)

getSessionDomain

public String getSessionDomain()

getSessionHandler

public SessionHandler getSessionHandler()

Returns:

Returns the sessionHandler.

getSessionMap

public Map getSessionMap()

Deprecated. Need to review if it is needed.

getSessions

public int getSessions()

getSessionIdPathParameterName

public String getSessionIdPathParameterName()

Specified by:

getSessionIdPathParameterName in interface SessionManager

Returns:

the URL path parameter name for session id URL rewriting, by default "jsessionid".

See Also:

SessionManager.setSessionIdPathParameterName(String)

getSessionIdPathParameterNamePrefix

public String getSessionIdPathParameterNamePrefix()

Specified by:

getSessionIdPathParameterNamePrefix in interface SessionManager

Returns:

a formatted version of SessionManager.getSessionIdPathParameterName(), by default ";" + sessionIdParameterName + "=", for easier lookup in URL strings.

See Also:

SessionManager.getSessionIdPathParameterName()

isUsingCookies

public boolean isUsingCookies()

Specified by:

isUsingCookies in interface SessionManager

Returns:

Returns the usingCookies.

isValid

public boolean isValid(javax.servlet.http.HttpSession session)

Specified by:

isValid in interface SessionManager

Parameters:

session - the session to test for validity

Returns:

whether the given session is valid, that is, it has not been invalidated.

getClusterId

public String getClusterId(javax.servlet.http.HttpSession session)

Specified by:

getClusterId in interface SessionManager

Parameters:

session - the session object

Returns:

the unique id of the session within the cluster (without a node id extension)

See Also:

SessionManager.getNodeId(HttpSession)

getNodeId

public String getNodeId(javax.servlet.http.HttpSession session)

Specified by:

getNodeId in interface SessionManager

Parameters:

session - the session object

Returns:

the unique id of the session within the cluster, extended with an optional node id.

See Also:

SessionManager.getClusterId(HttpSession)

newHttpSession

public javax.servlet.http.HttpSession newHttpSession(javax.servlet.http.HttpServletRequest request)

Create a new HttpSession for a request

Specified by:

newHttpSession in interface SessionManager

Parameters:

request - the HttpServletRequest containing the requested session id

Returns:

the new HttpSession

removeEventListener

public void removeEventListener(EventListener listener)

Description copied from interface: SessionManager

Removes an event listener for for session-related events.

Specified by:

removeEventListener in interface SessionManager

Parameters:

listener - the session event listener to remove

See Also:

SessionManager.addEventListener(EventListener)

resetStats

@Deprecated
public void resetStats()

Deprecated.

See Also:

statsReset()

statsReset

public void statsReset()

Reset statistics values

setHttpOnly

public void setHttpOnly(boolean httpOnly)

Parameters:

httpOnly - The httpOnly to set.

setIdManager

public void setIdManager(SessionIdManager metaManager)

Deprecated. use setSessionIdManager(SessionIdManager)

Parameters:

metaManager - The metaManager used for cross context session management.

setSessionIdManager

public void setSessionIdManager(SessionIdManager metaManager)

Description copied from interface: SessionManager

Sets the cross context session id manager

Specified by:

setSessionIdManager in interface SessionManager

Parameters:

metaManager - The metaManager used for cross context session management.

See Also:

SessionManager.getSessionIdManager()

setMaxInactiveInterval

public void setMaxInactiveInterval(int seconds)

Description copied from interface: SessionManager

Sets the max period of inactivity, after which the session is invalidated, in seconds.

Specified by:

setMaxInactiveInterval in interface SessionManager

Parameters:

seconds -

See Also:

SessionManager.getMaxInactiveInterval()

setRefreshCookieAge

public void setRefreshCookieAge(int ageInSeconds)

setSessionCookie

public void setSessionCookie(String cookieName)

setSessionHandler

public void setSessionHandler(SessionHandler sessionHandler)

Description copied from interface: SessionManager

Sets the SessionHandler.

Specified by:

setSessionHandler in interface SessionManager

Parameters:

sessionHandler - The sessionHandler to set.

setSessionIdPathParameterName

public void setSessionIdPathParameterName(String param)

Description copied from interface: SessionManager

Sets the session id URL path parameter name.

Specified by:

setSessionIdPathParameterName in interface SessionManager

Parameters:

param - the URL path parameter name for session id URL rewriting (null or "none" for no rewriting).

See Also:

SessionManager.getSessionIdPathParameterName(), SessionManager.getSessionIdPathParameterNamePrefix()

setUsingCookies

public void setUsingCookies(boolean usingCookies)

Parameters:

usingCookies - The usingCookies to set.

addSession

protected abstract void addSession(AbstractSession session)

addSession

protected void addSession(AbstractSession session,
              boolean created)

Add the session Registers the session with this manager and registers the session ID with the sessionIDManager;

getSession

public abstract AbstractSession getSession(String idInCluster)

Get a known existing session

Parameters:

idInCluster - The session ID in the cluster, stripped of any worker name.

Returns:

A Session or null if none exists.

invalidateSessions

protected abstract void invalidateSessions()
                                    throws Exception

Throws:

Exception

newSession

protected abstract AbstractSession newSession(javax.servlet.http.HttpServletRequest request)

Create a new session instance

Parameters:

request -

Returns:

the new session

isNodeIdInSessionId

public boolean isNodeIdInSessionId()

Returns:

true if the cluster node id (worker id) is returned as part of the session id by HttpSession.getId(). Default is false.

setNodeIdInSessionId

public void setNodeIdInSessionId(boolean nodeIdInSessionId)

Parameters:

nodeIdInSessionId - true if the cluster node id (worker id) will be returned as part of the session id by HttpSession.getId(). Default is false.

removeSession

public void removeSession(javax.servlet.http.HttpSession session,
                 boolean invalidate)

Remove session from manager

Parameters:

session - The session to remove

invalidate - True if HttpSessionListener.sessionDestroyed(HttpSessionEvent) and SessionIdManager.invalidateAll(String) should be called.

removeSession

public void removeSession(AbstractSession session,
                 boolean invalidate)

Remove session from manager

Parameters:

session - The session to remove

invalidate - True if HttpSessionListener.sessionDestroyed(HttpSessionEvent) and SessionIdManager.invalidateAll(String) should be called.

removeSession

protected abstract boolean removeSession(String idInCluster)

getSessionTimeMax

public long getSessionTimeMax()

Returns:

maximum amount of time session remained valid

getDefaultSessionTrackingModes

public Set<javax.servlet.SessionTrackingMode> getDefaultSessionTrackingModes()

Specified by:

getDefaultSessionTrackingModes in interface SessionManager

getEffectiveSessionTrackingModes

public Set<javax.servlet.SessionTrackingMode> getEffectiveSessionTrackingModes()

Specified by:

getEffectiveSessionTrackingModes in interface SessionManager

setSessionTrackingModes

public void setSessionTrackingModes(Set<javax.servlet.SessionTrackingMode> sessionTrackingModes)

Specified by:

setSessionTrackingModes in interface SessionManager

isUsingURLs

public boolean isUsingURLs()

Specified by:

isUsingURLs in interface SessionManager

Returns:

whether the session management is handled via URLs.

getSessionCookieConfig

public javax.servlet.SessionCookieConfig getSessionCookieConfig()

Specified by:

getSessionCookieConfig in interface SessionManager

getSessionTimeTotal

public long getSessionTimeTotal()

Returns:

total amount of time all sessions remained valid

getSessionTimeMean

public double getSessionTimeMean()

Returns:

mean amount of time session remained valid

getSessionTimeStdDev

public double getSessionTimeStdDev()

Returns:

standard deviation of amount of time session remained valid

isCheckingRemoteSessionIdEncoding

public boolean isCheckingRemoteSessionIdEncoding()

Specified by:

isCheckingRemoteSessionIdEncoding in interface SessionManager

Returns:

True if absolute URLs are check for remoteness before being session encoded.

See Also:

SessionManager.isCheckingRemoteSessionIdEncoding()

setCheckingRemoteSessionIdEncoding

public void setCheckingRemoteSessionIdEncoding(boolean remote)

Specified by:

setCheckingRemoteSessionIdEncoding in interface SessionManager

Parameters:

remote - True if absolute URLs are check for remoteness before being session encoded.

See Also:

SessionManager.setCheckingRemoteSessionIdEncoding(boolean)

doSessionAttributeListeners

public void doSessionAttributeListeners(AbstractSession session,
                               String name,
                               Object old,
                               Object value)