@ManagedObject public class SessionHandler extends ScopedHandler
Modifier and Type | Class and Description |
---|---|
class |
SessionHandler.CookieConfig
CookieConfig
Implementation of the javax.servlet.SessionCookieConfig.
|
class |
SessionHandler.SessionAsyncListener
SessionAsyncListener
Used to ensure that a request for which async has been started
has its session completed as the request exits the context.
|
static interface |
SessionHandler.SessionIf
SessionIf
Interface that any session wrapper should implement so that
SessionManager may access the Jetty session implementation.
|
AbstractHandler.ErrorDispatchHandler
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
Container.InheritedListener, Container.Listener
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
__CheckRemoteSessionEncoding |
static java.lang.String |
__DefaultSessionCookie |
static java.lang.String |
__DefaultSessionDomain |
static java.lang.String |
__DefaultSessionIdPathParameterName |
java.util.Set<javax.servlet.SessionTrackingMode> |
__defaultSessionTrackingModes |
static java.lang.String |
__MaxAgeProperty
Session Max Age.
|
static java.lang.String |
__SessionCookieProperty
Session cookie name.
|
static java.lang.String |
__SessionDomainProperty
Session Domain.
|
static java.lang.String |
__SessionIdPathParameterNameProperty
Session id path parameter name.
|
static java.lang.String |
__SessionPathProperty
Session Path.
|
protected java.util.Set<java.lang.String> |
_candidateSessionIdsForExpiry |
protected boolean |
_checkingRemoteSessionIdEncoding |
protected ContextHandler.Context |
_context |
protected int |
_dftMaxIdleSecs
Setting of max inactive interval for new sessions
-1 means no timeout
|
protected boolean |
_httpOnly |
protected java.lang.ClassLoader |
_loader |
protected int |
_maxCookieAge |
protected boolean |
_nodeIdInSessionId |
protected boolean |
_ownScheduler |
protected int |
_refreshCookieAge |
protected Scheduler |
_scheduler |
protected boolean |
_secureCookies |
protected boolean |
_secureRequestOnly |
protected SessionHandler.SessionAsyncListener |
_sessionAsyncListener |
protected java.util.List<javax.servlet.http.HttpSessionAttributeListener> |
_sessionAttributeListeners |
protected SessionCache |
_sessionCache |
protected java.lang.String |
_sessionComment |
protected SessionContext |
_sessionContext |
protected java.lang.String |
_sessionCookie |
protected java.lang.String |
_sessionDomain |
protected java.util.List<javax.servlet.http.HttpSessionIdListener> |
_sessionIdListeners |
protected SessionIdManager |
_sessionIdManager |
protected java.lang.String |
_sessionIdPathParameterName |
protected java.lang.String |
_sessionIdPathParameterNamePrefix |
protected java.util.List<javax.servlet.http.HttpSessionListener> |
_sessionListeners |
protected java.lang.String |
_sessionPath |
protected CounterStatistic |
_sessionsCreatedStats |
protected SampleStatistic |
_sessionTimeStats |
java.util.Set<javax.servlet.SessionTrackingMode> |
_sessionTrackingModes |
protected boolean |
_usingCookies |
protected boolean |
_usingURLs |
static java.util.EnumSet<javax.servlet.SessionTrackingMode> |
DEFAULT_TRACKING |
static java.math.BigDecimal |
MAX_INACTIVE_MINUTES
Web.xml session-timeout is set in minutes, but is stored as an int in seconds by HttpSession and
the sessionmanager.
|
static java.lang.Class<? extends java.util.EventListener>[] |
SESSION_LISTENER_TYPES |
_nextScope, _outerScope
_handler
Constructor and Description |
---|
SessionHandler()
Constructor.
|
Modifier and Type | Method and Description |
---|---|
HttpCookie |
access(javax.servlet.http.HttpSession session,
boolean secure)
Called by the
SessionHandler when a session is first accessed by a request. |
void |
addEventListener(java.util.EventListener listener)
Adds an event listener for session-related events.
|
protected void |
callSessionCreatedListeners(Session session)
Call the session lifecycle listeners
|
protected void |
callSessionDestroyedListeners(Session session)
Call the session lifecycle listeners
|
protected void |
callSessionIdListeners(Session session,
java.lang.String oldId) |
protected void |
checkRequestedSessionId(Request baseRequest,
javax.servlet.http.HttpServletRequest request)
Look for a requested session ID in cookies and URI parameters
|
void |
clearEventListeners()
Removes all event listeners for session-related events.
|
void |
complete(javax.servlet.http.HttpSession session)
Called by the
SessionHandler when a session is last accessed by a request. |
void |
complete(Session session,
Request baseRequest)
Deprecated.
|
void |
doHandle(java.lang.String target,
Request baseRequest,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Do the handler work within the scope.
|
void |
doScope(java.lang.String target,
Request baseRequest,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Scope the handler
|
void |
doSessionAttributeListeners(Session session,
java.lang.String name,
java.lang.Object old,
java.lang.Object value) |
protected void |
doStart()
Starts the managed lifecycle beans in the order they were added.
|
protected void |
doStop()
Stops the managed lifecycle beans in the reverse order they were added.
|
java.util.Set<javax.servlet.SessionTrackingMode> |
getDefaultSessionTrackingModes() |
java.util.Set<javax.servlet.SessionTrackingMode> |
getEffectiveSessionTrackingModes() |
java.lang.String |
getExtendedId(javax.servlet.http.HttpSession session) |
boolean |
getHttpOnly() |
javax.servlet.http.HttpSession |
getHttpSession(java.lang.String extendedId)
Returns the
HttpSession with the given session id |
java.lang.String |
getId(javax.servlet.http.HttpSession session) |
int |
getMaxCookieAge() |
int |
getMaxInactiveInterval() |
int |
getRefreshCookieAge() |
Scheduler |
getScheduler() |
boolean |
getSecureCookies() |
Session |
getSession(java.lang.String id)
Get a known existing session
|
SessionCache |
getSessionCache() |
java.lang.String |
getSessionCookie() |
HttpCookie |
getSessionCookie(javax.servlet.http.HttpSession session,
java.lang.String contextPath,
boolean requestIsSecure)
A session cookie is marked as secure IFF any of the following conditions are true:
SessionCookieConfig.setSecure == true
SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS
According to SessionCookieConfig javadoc, case 1 can be used when:
"...
|
javax.servlet.SessionCookieConfig |
getSessionCookieConfig() |
java.lang.String |
getSessionDomain() |
SessionIdManager |
getSessionIdManager()
Gets the cross context session id manager
|
java.lang.String |
getSessionIdPathParameterName() |
java.lang.String |
getSessionIdPathParameterNamePrefix() |
java.lang.String |
getSessionPath() |
int |
getSessionsCreated() |
long |
getSessionTimeMax() |
double |
getSessionTimeMean() |
double |
getSessionTimeStdDev() |
long |
getSessionTimeTotal() |
void |
invalidate(java.lang.String id)
Called by SessionIdManager to remove a session that has been invalidated,
either by this context or another context.
|
boolean |
isCheckingRemoteSessionIdEncoding() |
boolean |
isIdInUse(java.lang.String id)
Check if id is in use by this context
|
boolean |
isNodeIdInSessionId() |
boolean |
isSecureRequestOnly() |
boolean |
isUsingCookies() |
boolean |
isUsingURLs() |
boolean |
isValid(javax.servlet.http.HttpSession session) |
javax.servlet.http.HttpSession |
newHttpSession(javax.servlet.http.HttpServletRequest request)
Creates a new
HttpSession . |
protected void |
recordSessionTime(Session session)
Record length of time session has been active.
|
void |
removeEventListener(java.util.EventListener listener)
Removes an event listener for for session-related events.
|
Session |
removeSession(java.lang.String id,
boolean invalidate)
Remove session from manager
|
void |
renewSessionId(java.lang.String oldId,
java.lang.String oldExtendedId,
java.lang.String newId,
java.lang.String newExtendedId)
Change the existing session id.
|
void |
scavenge()
Called periodically by the HouseKeeper to handle the list of
sessions that have expired since the last call to scavenge.
|
void |
sessionInactivityTimerExpired(Session session)
Deprecated.
|
void |
sessionInactivityTimerExpired(Session session,
long now)
Each session has a timer that is configured to go off
when either the session has not been accessed for a
configurable amount of time, or the session itself
has passed its expiry.
|
void |
setCheckingRemoteSessionIdEncoding(boolean remote) |
void |
setHttpOnly(boolean httpOnly) |
void |
setMaxInactiveInterval(int seconds)
Sets the max period of inactivity, after which the session is invalidated, in seconds.
|
void |
setNodeIdInSessionId(boolean nodeIdInSessionId) |
void |
setRefreshCookieAge(int ageInSeconds) |
void |
setSecureRequestOnly(boolean secureRequestOnly)
HTTPS request.
|
void |
setSessionCache(SessionCache cache) |
void |
setSessionCookie(java.lang.String cookieName) |
void |
setSessionIdManager(SessionIdManager metaManager) |
void |
setSessionIdPathParameterName(java.lang.String param)
Sets the session id URL path parameter name.
|
void |
setSessionTrackingModes(java.util.Set<javax.servlet.SessionTrackingMode> sessionTrackingModes) |
void |
setUsingCookies(boolean usingCookies) |
protected void |
shutdownSessions()
Prepare sessions for session manager shutdown
|
void |
statsReset()
Reset statistics values
|
java.lang.String |
toString() |
handle, nextHandle, nextScope
destroy, expandChildren, getHandler, getHandlers, insertHandler, setHandler
doShutdown, expandHandler, findContainerOf, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass, setServer
doError, getServer
addBean, addBean, addBean, addEventListener, addManaged, contains, dump, dump, dump, dump, dump, dumpBeans, dumpObject, dumpObjects, dumpStdErr, dumpThis, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, setStopTimeout, start, stop, unmanage, updateBean, updateBean, updateBeans
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, start, stop, stop
dumpObjects, dumpSelf
public static final java.util.EnumSet<javax.servlet.SessionTrackingMode> DEFAULT_TRACKING
public static final java.lang.String __SessionCookieProperty
JSESSIONID
, but can be set with the
org.eclipse.jetty.servlet.SessionCookie
context init parameter.public static final java.lang.String __DefaultSessionCookie
public static final java.lang.String __SessionIdPathParameterNameProperty
jsessionid
, but can be set with the
org.eclipse.jetty.servlet.SessionIdPathParameterName
context init parameter.
If context init param is "none", or setSessionIdPathParameterName is called with null or "none",
no URL rewriting will be done.public static final java.lang.String __DefaultSessionIdPathParameterName
public static final java.lang.String __CheckRemoteSessionEncoding
public static final java.lang.String __SessionDomainProperty
public static final java.lang.String __DefaultSessionDomain
public static final java.lang.String __SessionPathProperty
public static final java.lang.String __MaxAgeProperty
public java.util.Set<javax.servlet.SessionTrackingMode> __defaultSessionTrackingModes
public static final java.lang.Class<? extends java.util.EventListener>[] SESSION_LISTENER_TYPES
public static final java.math.BigDecimal MAX_INACTIVE_MINUTES
protected int _dftMaxIdleSecs
protected boolean _httpOnly
protected SessionIdManager _sessionIdManager
protected boolean _secureCookies
protected boolean _secureRequestOnly
protected final java.util.List<javax.servlet.http.HttpSessionAttributeListener> _sessionAttributeListeners
protected final java.util.List<javax.servlet.http.HttpSessionListener> _sessionListeners
protected final java.util.List<javax.servlet.http.HttpSessionIdListener> _sessionIdListeners
protected java.lang.ClassLoader _loader
protected ContextHandler.Context _context
protected SessionContext _sessionContext
protected java.lang.String _sessionCookie
protected java.lang.String _sessionIdPathParameterName
protected java.lang.String _sessionIdPathParameterNamePrefix
protected java.lang.String _sessionDomain
protected java.lang.String _sessionPath
protected int _maxCookieAge
protected int _refreshCookieAge
protected boolean _nodeIdInSessionId
protected boolean _checkingRemoteSessionIdEncoding
protected java.lang.String _sessionComment
protected SessionCache _sessionCache
protected final SampleStatistic _sessionTimeStats
protected final CounterStatistic _sessionsCreatedStats
public java.util.Set<javax.servlet.SessionTrackingMode> _sessionTrackingModes
protected boolean _usingURLs
protected boolean _usingCookies
protected java.util.Set<java.lang.String> _candidateSessionIdsForExpiry
protected Scheduler _scheduler
protected boolean _ownScheduler
protected final SessionHandler.SessionAsyncListener _sessionAsyncListener
@ManagedAttribute(value="path of the session cookie, or null for default") public java.lang.String getSessionPath()
@ManagedAttribute(value="if greater the zero, the time in seconds a session cookie will last for") public int getMaxCookieAge()
public HttpCookie access(javax.servlet.http.HttpSession session, boolean secure)
SessionHandler
when a session is first accessed by a request.session
- the session objectsecure
- whether the request is secure or notcomplete(HttpSession)
public void addEventListener(java.util.EventListener listener)
listener
- the session event listener to add
Individual SessionManagers implementations may accept arbitrary listener types,
but they are expected to at least handle HttpSessionActivationListener,
HttpSessionAttributeListener, HttpSessionBindingListener and HttpSessionListener.removeEventListener(EventListener)
public void clearEventListeners()
removeEventListener(EventListener)
protected void callSessionDestroyedListeners(Session session)
session
- the session on which to call the lifecycle listenersprotected void callSessionCreatedListeners(Session session)
session
- the session on which to call the lifecycle listenersprotected void callSessionIdListeners(Session session, java.lang.String oldId)
public void complete(javax.servlet.http.HttpSession session)
SessionHandler
when a session is last accessed by a request.session
- the session objectaccess(HttpSession, boolean)
protected void doStart() throws java.lang.Exception
ContainerLifeCycle
doStart
in class ScopedHandler
java.lang.Exception
AbstractHandler.doStart()
protected void doStop() throws java.lang.Exception
ContainerLifeCycle
doStop
in class AbstractHandler
java.lang.Exception
@ManagedAttribute(value="true if cookies use the http only flag") public boolean getHttpOnly()
HttpCookie.isHttpOnly()
public javax.servlet.http.HttpSession getHttpSession(java.lang.String extendedId)
HttpSession
with the given session idextendedId
- the session idHttpSession
with the corresponding id or null if no session with the given id exists@ManagedAttribute(value="Session ID Manager") public SessionIdManager getSessionIdManager()
@ManagedAttribute(value="default maximum time a session may be idle for (in s)") public int getMaxInactiveInterval()
setMaxInactiveInterval(int)
@ManagedAttribute(value="time before a session cookie is re-set (in s)") public int getRefreshCookieAge()
@ManagedAttribute(value="if true, secure cookie flag is set on session cookies") public boolean getSecureCookies()
public boolean isSecureRequestOnly()
public void setSecureRequestOnly(boolean secureRequestOnly)
secureRequestOnly
- true to set Session Cookie Config as secure@ManagedAttribute(value="the set session cookie") public java.lang.String getSessionCookie()
public HttpCookie getSessionCookie(javax.servlet.http.HttpSession session, java.lang.String contextPath, boolean requestIsSecure)
For case 2, you can use _secureRequestOnly to determine if you want the Servlet Spec 3.0 default behavior when SessionCookieConfig.setSecure==false, which is: "they shall be marked as secure only if the request that initiated the corresponding session was also secure"
The default for _secureRequestOnly is true, which gives the above behavior. If you set it to false, then a session cookie is NEVER marked as secure, even if the initiating request was secure.
session
- the session to which the cookie should refer.contextPath
- the context to which the cookie should be linked.
The client will only send the cookie value when requesting resources under this path.requestIsSecure
- whether the client is accessing the server over a secure protocol (i.e. HTTPS).SessionManager
uses cookies, then this method will return a new
cookie object
that should be set on the client in order to link future HTTP requests
with the session
. If cookies are not in use, this method returns null
.@ManagedAttribute(value="domain of the session cookie, or null for the default") public java.lang.String getSessionDomain()
@ManagedAttribute(value="number of sessions created by this node") public int getSessionsCreated()
@ManagedAttribute(value="name of use for URL session tracking") public java.lang.String getSessionIdPathParameterName()
setSessionIdPathParameterName(String)
public java.lang.String getSessionIdPathParameterNamePrefix()
getSessionIdPathParameterName()
, by default
";" + sessionIdParameterName + "=", for easier lookup in URL strings.getSessionIdPathParameterName()
public boolean isUsingCookies()
public boolean isValid(javax.servlet.http.HttpSession session)
session
- the session to test for validitypublic java.lang.String getId(javax.servlet.http.HttpSession session)
session
- the session objectgetExtendedId(HttpSession)
public java.lang.String getExtendedId(javax.servlet.http.HttpSession session)
session
- the session objectgetId(HttpSession)
public javax.servlet.http.HttpSession newHttpSession(javax.servlet.http.HttpServletRequest request)
HttpSession
.request
- the HttpServletRequest containing the requested session idHttpSession
public void removeEventListener(java.util.EventListener listener)
listener
- the session event listener to removeaddEventListener(EventListener)
@ManagedOperation(value="reset statistics", impact="ACTION") public void statsReset()
public void setHttpOnly(boolean httpOnly)
httpOnly
- The httpOnly to set.public void setSessionIdManager(SessionIdManager metaManager)
metaManager
- The metaManager used for cross context session management.public void setMaxInactiveInterval(int seconds)
seconds
- the max inactivity period, in seconds.getMaxInactiveInterval()
public void setRefreshCookieAge(int ageInSeconds)
public void setSessionCookie(java.lang.String cookieName)
public void setSessionIdPathParameterName(java.lang.String param)
param
- the URL path parameter name for session id URL rewriting (null or "none" for no rewriting).getSessionIdPathParameterName()
,
getSessionIdPathParameterNamePrefix()
public void setUsingCookies(boolean usingCookies)
usingCookies
- The usingCookies to set.public Session getSession(java.lang.String id)
id
- The session ID stripped of any worker name.protected void shutdownSessions() throws java.lang.Exception
java.lang.Exception
- if unable to shutdown sesssionspublic SessionCache getSessionCache()
public void setSessionCache(SessionCache cache)
cache
- the session store to usepublic boolean isNodeIdInSessionId()
HttpSession.getId()
. Default is false.public void setNodeIdInSessionId(boolean nodeIdInSessionId)
nodeIdInSessionId
- true if the cluster node id (worker id) will be returned as part of the session id by HttpSession.getId()
. Default is false.public Session removeSession(java.lang.String id, boolean invalidate)
id
- The session to removeinvalidate
- True if HttpSessionListener.sessionDestroyed(HttpSessionEvent)
and
SessionIdManager.expireAll(String)
should be called.@ManagedAttribute(value="maximum amount of time sessions have remained active (in s)") public long getSessionTimeMax()
public java.util.Set<javax.servlet.SessionTrackingMode> getDefaultSessionTrackingModes()
public java.util.Set<javax.servlet.SessionTrackingMode> getEffectiveSessionTrackingModes()
public void setSessionTrackingModes(java.util.Set<javax.servlet.SessionTrackingMode> sessionTrackingModes)
public boolean isUsingURLs()
public javax.servlet.SessionCookieConfig getSessionCookieConfig()
@ManagedAttribute(value="total time sessions have remained valid") public long getSessionTimeTotal()
@ManagedAttribute(value="mean time sessions remain valid (in s)") public double getSessionTimeMean()
@ManagedAttribute(value="standard deviation a session remained valid (in s)") public double getSessionTimeStdDev()
@ManagedAttribute(value="check remote session id encoding") public boolean isCheckingRemoteSessionIdEncoding()
public void setCheckingRemoteSessionIdEncoding(boolean remote)
remote
- True if absolute URLs are check for remoteness before being session encoded.public void renewSessionId(java.lang.String oldId, java.lang.String oldExtendedId, java.lang.String newId, java.lang.String newExtendedId)
oldId
- the old session idoldExtendedId
- the session id including worker suffixnewId
- the new session idnewExtendedId
- the new session id including worker suffixprotected void recordSessionTime(Session session)
session
- the session whose time to recordpublic void invalidate(java.lang.String id)
id
- the session id to invalidatepublic void scavenge()
@Deprecated public void sessionInactivityTimerExpired(Session session)
public void sessionInactivityTimerExpired(Session session, long now)
session
- the sessionnow
- the time at which to check for expirypublic boolean isIdInUse(java.lang.String id) throws java.lang.Exception
id
- identity of session to checktrue
if this manager knows about this idjava.lang.Exception
- if any error occurredpublic Scheduler getScheduler()
public void doSessionAttributeListeners(Session session, java.lang.String name, java.lang.Object old, java.lang.Object value)
public void doScope(java.lang.String target, Request baseRequest, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextScope(String, Request, HttpServletRequest, HttpServletResponse)
doScope
in class ScopedHandler
target
- The target of the request - either a URI or a name.baseRequest
- The original unwrapped request object.request
- The request either as the Request
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getRequest()
method can be used access the Request object if required.response
- The response as the Response
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getResponse()
method can be used access the Response object if required.java.io.IOException
- if unable to handle the request or response processingjavax.servlet.ServletException
- if unable to handle the request or response due to underlying servlet issuepublic void doHandle(java.lang.String target, Request baseRequest, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextHandle(String, Request, HttpServletRequest, HttpServletResponse)
doHandle
in class ScopedHandler
target
- The target of the request - either a URI or a name.baseRequest
- The original unwrapped request object.request
- The request either as the Request
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getRequest()
method can be used access the Request object if required.response
- The response as the Response
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getResponse()
method can be used access the Response object if required.java.io.IOException
- if unable to handle the request or response processingjavax.servlet.ServletException
- if unable to handle the request or response due to underlying servlet issueprotected void checkRequestedSessionId(Request baseRequest, javax.servlet.http.HttpServletRequest request)
baseRequest
- the request to checkrequest
- the request to checkpublic java.lang.String toString()
toString
in class AbstractLifeCycle
Object.toString()
Copyright © 1995–2023 Webtide. All rights reserved.