@ManagedObject public class SessionHandler extends ScopedHandler
Modifier and Type | Class and Description |
---|---|
class |
SessionHandler.CookieConfig
CookieConfig
Implementation of the javax.servlet.SessionCookieConfig.
|
static interface |
SessionHandler.SessionIf
SessionIf
Interface that any session wrapper should implement so that
SessionManager may access the Jetty session implementation.
|
AbstractHandler.ErrorDispatchHandler
AbstractLifeCycle.AbstractLifeCycleListener
LifeCycle.Listener
Container.InheritedListener, Container.Listener
Modifier and Type | Field and Description |
---|---|
static String |
__CheckRemoteSessionEncoding |
static String |
__DefaultSessionCookie |
static String |
__DefaultSessionDomain |
static String |
__DefaultSessionIdPathParameterName |
static String |
__MaxAgeProperty
Session Max Age.
|
static String |
__SessionCookieProperty
Session cookie name.
|
static String |
__SessionDomainProperty
Session Domain.
|
static String |
__SessionIdPathParameterNameProperty
Session id path parameter name.
|
static String |
__SessionPathProperty
Session Path.
|
Set<SessionTrackingMode> |
_sessionTrackingModes |
static Set<SessionTrackingMode> |
DEFAULT_SESSION_TRACKING_MODES |
static EnumSet<SessionTrackingMode> |
DEFAULT_TRACKING |
static BigDecimal |
MAX_INACTIVE_MINUTES
Web.xml session-timeout is set in minutes, but is stored as an int in seconds by HttpSession and
the sessionmanager.
|
static Class<? extends EventListener>[] |
SESSION_LISTENER_TYPES |
Constructor and Description |
---|
SessionHandler()
Constructor.
|
Modifier and Type | Method and Description |
---|---|
HttpCookie |
access(HttpSession session,
boolean secure)
Called by the
SessionHandler when a session is first accessed by a request. |
void |
addEventListener(EventListener listener)
Adds an event listener for session-related events.
|
void |
clearEventListeners()
Removes all event listeners for session-related events.
|
void |
commit(HttpSession session)
Called when a response is about to be committed.
|
void |
complete(HttpSession session)
Called when a request is finally leaving a session.
|
void |
complete(Session session,
Request baseRequest)
Deprecated.
|
void |
doHandle(String target,
Request baseRequest,
HttpServletRequest request,
HttpServletResponse response)
Do the handler work within the scope.
|
void |
doScope(String target,
Request baseRequest,
HttpServletRequest request,
HttpServletResponse response)
Scope the handler
|
void |
doSessionAttributeListeners(Session session,
String name,
Object old,
Object value) |
Set<SessionTrackingMode> |
getDefaultSessionTrackingModes() |
Set<SessionTrackingMode> |
getEffectiveSessionTrackingModes() |
String |
getExtendedId(HttpSession session) |
boolean |
getHttpOnly() |
String |
getId(HttpSession session) |
int |
getMaxCookieAge() |
int |
getMaxInactiveInterval() |
int |
getRefreshCookieAge() |
HttpCookie.SameSite |
getSameSite() |
Scheduler |
getScheduler() |
boolean |
getSecureCookies() |
Session |
getSession(String id)
Get a known existing session
|
SessionCache |
getSessionCache() |
String |
getSessionCookie() |
HttpCookie |
getSessionCookie(HttpSession session,
String contextPath,
boolean requestIsSecure)
A session cookie is marked as secure IFF any of the following conditions are true:
SessionCookieConfig.setSecure == true
SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS
According to SessionCookieConfig javadoc, case 1 can be used when:
"...
|
SessionCookieConfig |
getSessionCookieConfig() |
String |
getSessionDomain() |
SessionIdManager |
getSessionIdManager()
Gets the cross context session id manager
|
String |
getSessionIdPathParameterName() |
String |
getSessionIdPathParameterNamePrefix() |
String |
getSessionPath() |
int |
getSessionsCreated() |
long |
getSessionTimeMax() |
double |
getSessionTimeMean() |
double |
getSessionTimeStdDev() |
long |
getSessionTimeTotal() |
void |
invalidate(String id)
Called by SessionIdManager to remove a session that has been invalidated,
either by this context or another context.
|
boolean |
isCheckingRemoteSessionIdEncoding() |
boolean |
isIdInUse(String id)
Check if id is in use by this context
|
boolean |
isNodeIdInSessionId() |
boolean |
isSecureRequestOnly() |
boolean |
isUsingCookies() |
boolean |
isUsingURLs() |
boolean |
isValid(HttpSession session) |
HttpSession |
newHttpSession(HttpServletRequest request)
Creates a new
HttpSession . |
void |
removeEventListener(EventListener listener)
Removes an event listener for for session-related events.
|
Session |
removeSession(String id,
boolean invalidate)
Remove session from manager
|
void |
renewSessionId(String oldId,
String oldExtendedId,
String newId,
String newExtendedId)
Change the existing session id.
|
void |
scavenge()
Called periodically by the HouseKeeper to handle the list of
sessions that have expired since the last call to scavenge.
|
void |
sessionInactivityTimerExpired(Session session)
Deprecated.
|
void |
sessionInactivityTimerExpired(Session session,
long now)
Each session has a timer that is configured to go off
when either the session has not been accessed for a
configurable amount of time, or the session itself
has passed its expiry.
|
void |
setCheckingRemoteSessionIdEncoding(boolean remote) |
void |
setHttpOnly(boolean httpOnly)
Set if Session cookies should use HTTP Only
|
void |
setMaxInactiveInterval(int seconds)
Sets the max period of inactivity, after which the session is invalidated, in seconds.
|
void |
setNodeIdInSessionId(boolean nodeIdInSessionId) |
void |
setRefreshCookieAge(int ageInSeconds) |
void |
setSameSite(HttpCookie.SameSite sameSite)
Set Session cookie sameSite mode.
|
void |
setSecureRequestOnly(boolean secureRequestOnly)
HTTPS request.
|
void |
setSessionCache(SessionCache cache) |
void |
setSessionCookie(String cookieName) |
void |
setSessionIdManager(SessionIdManager metaManager) |
void |
setSessionIdPathParameterName(String param)
Sets the session id URL path parameter name.
|
void |
setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) |
void |
setUsingCookies(boolean usingCookies) |
void |
statsReset()
Reset statistics values
|
String |
toString() |
handle, nextHandle, nextScope
destroy, getHandler, getHandlers, insertHandler, setHandler
findContainerOf, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass, setServer
getServer
addBean, addBean, addEventListener, addManaged, contains, dump, dump, dump, dump, dump, dumpObject, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, setStopTimeout, unmanage, updateBean, updateBean, updateBeans
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
equals, getClass, hashCode, notify, notifyAll, wait, wait, wait
addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, start, stop, stop
dumpContainer, dumpIterable, dumpMapEntries, dumpObjects, dumpSelf, named
public static final EnumSet<SessionTrackingMode> DEFAULT_TRACKING
public static final String __SessionCookieProperty
JSESSIONID
, but can be set with the
org.eclipse.jetty.servlet.SessionCookie
context init parameter.public static final String __DefaultSessionCookie
public static final String __SessionIdPathParameterNameProperty
jsessionid
, but can be set with the
org.eclipse.jetty.servlet.SessionIdPathParameterName
context init parameter.
If context init param is "none", or setSessionIdPathParameterName is called with null or "none",
no URL rewriting will be done.public static final String __DefaultSessionIdPathParameterName
public static final String __CheckRemoteSessionEncoding
public static final String __SessionDomainProperty
public static final String __DefaultSessionDomain
public static final String __SessionPathProperty
public static final String __MaxAgeProperty
public static final Set<SessionTrackingMode> DEFAULT_SESSION_TRACKING_MODES
public static final Class<? extends EventListener>[] SESSION_LISTENER_TYPES
public static final BigDecimal MAX_INACTIVE_MINUTES
public Set<SessionTrackingMode> _sessionTrackingModes
@ManagedAttribute(value="path of the session cookie, or null for default") public String getSessionPath()
@ManagedAttribute(value="if greater the zero, the time in seconds a session cookie will last for") public int getMaxCookieAge()
public HttpCookie access(HttpSession session, boolean secure)
SessionHandler
when a session is first accessed by a request.session
- the session objectsecure
- whether the request is secure or notcomplete(HttpSession)
public void addEventListener(EventListener listener)
listener
- the session event listener to add
Individual SessionManagers implementations may accept arbitrary listener types,
but they are expected to at least handle HttpSessionActivationListener,
HttpSessionAttributeListener, HttpSessionBindingListener and HttpSessionListener.removeEventListener(EventListener)
public void clearEventListeners()
removeEventListener(EventListener)
public void complete(HttpSession session)
session
- the session objectpublic void commit(HttpSession session)
@Deprecated public void complete(Session session, Request baseRequest)
@ManagedAttribute(value="true if cookies use the http only flag") public boolean getHttpOnly()
HttpCookie.isHttpOnly()
@ManagedAttribute(value="SameSite setting for session cookies") public HttpCookie.SameSite getSameSite()
HttpCookie.getSameSite()
@ManagedAttribute(value="Session ID Manager") public SessionIdManager getSessionIdManager()
@ManagedAttribute(value="default maximum time a session may be idle for (in s)") public int getMaxInactiveInterval()
setMaxInactiveInterval(int)
@ManagedAttribute(value="time before a session cookie is re-set (in s)") public int getRefreshCookieAge()
@ManagedAttribute(value="if true, secure cookie flag is set on session cookies") public boolean getSecureCookies()
public boolean isSecureRequestOnly()
public void setSecureRequestOnly(boolean secureRequestOnly)
secureRequestOnly
- true to set Session Cookie Config as secure@ManagedAttribute(value="the set session cookie") public String getSessionCookie()
public HttpCookie getSessionCookie(HttpSession session, String contextPath, boolean requestIsSecure)
For case 2, you can use _secureRequestOnly to determine if you want the Servlet Spec 3.0 default behavior when SessionCookieConfig.setSecure==false, which is: "they shall be marked as secure only if the request that initiated the corresponding session was also secure"
The default for _secureRequestOnly is true, which gives the above behavior. If you set it to false, then a session cookie is NEVER marked as secure, even if the initiating request was secure.
session
- the session to which the cookie should refer.contextPath
- the context to which the cookie should be linked.
The client will only send the cookie value when requesting resources under this path.requestIsSecure
- whether the client is accessing the server over a secure protocol (i.e. HTTPS).SessionManager
uses cookies, then this method will return a new
cookie object
that should be set on the client in order to link future HTTP requests
with the session
. If cookies are not in use, this method returns null
.@ManagedAttribute(value="domain of the session cookie, or null for the default") public String getSessionDomain()
@ManagedAttribute(value="number of sessions created by this node") public int getSessionsCreated()
@ManagedAttribute(value="name of use for URL session tracking") public String getSessionIdPathParameterName()
setSessionIdPathParameterName(String)
public String getSessionIdPathParameterNamePrefix()
getSessionIdPathParameterName()
, by default
";" + sessionIdParameterName + "=", for easier lookup in URL strings.getSessionIdPathParameterName()
public boolean isUsingCookies()
public boolean isValid(HttpSession session)
session
- the session to test for validitypublic String getId(HttpSession session)
session
- the session objectgetExtendedId(HttpSession)
public String getExtendedId(HttpSession session)
session
- the session objectgetId(HttpSession)
public HttpSession newHttpSession(HttpServletRequest request)
HttpSession
.request
- the HttpServletRequest containing the requested session idHttpSession
public void removeEventListener(EventListener listener)
listener
- the session event listener to removeaddEventListener(EventListener)
@ManagedOperation(value="reset statistics", impact="ACTION") public void statsReset()
public void setHttpOnly(boolean httpOnly)
httpOnly
- True if cookies should be HttpOnly.HttpCookie
public void setSameSite(HttpCookie.SameSite sameSite)
SessionCookieConfig
sameSite
- The sameSite setting for Session cookies (or null for no sameSite setting)public void setSessionIdManager(SessionIdManager metaManager)
metaManager
- The metaManager used for cross context session management.public void setMaxInactiveInterval(int seconds)
seconds
- the max inactivity period, in seconds.getMaxInactiveInterval()
public void setRefreshCookieAge(int ageInSeconds)
public void setSessionCookie(String cookieName)
public void setSessionIdPathParameterName(String param)
param
- the URL path parameter name for session id URL rewriting (null or "none" for no rewriting).getSessionIdPathParameterName()
,
getSessionIdPathParameterNamePrefix()
public void setUsingCookies(boolean usingCookies)
usingCookies
- The usingCookies to set.public Session getSession(String id)
id
- The session ID stripped of any worker name.public SessionCache getSessionCache()
public void setSessionCache(SessionCache cache)
cache
- the session store to usepublic boolean isNodeIdInSessionId()
HttpSession.getId()
. Default is false.public void setNodeIdInSessionId(boolean nodeIdInSessionId)
nodeIdInSessionId
- true if the cluster node id (worker id) will be returned as part of the session id by HttpSession.getId()
. Default is false.public Session removeSession(String id, boolean invalidate)
id
- The session to removeinvalidate
- True if HttpSessionListener.sessionDestroyed(HttpSessionEvent)
and
SessionIdManager.expireAll(String)
should be called.@ManagedAttribute(value="maximum amount of time sessions have remained active (in s)") public long getSessionTimeMax()
public Set<SessionTrackingMode> getDefaultSessionTrackingModes()
public Set<SessionTrackingMode> getEffectiveSessionTrackingModes()
public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes)
public boolean isUsingURLs()
public SessionCookieConfig getSessionCookieConfig()
@ManagedAttribute(value="total time sessions have remained valid") public long getSessionTimeTotal()
@ManagedAttribute(value="mean time sessions remain valid (in s)") public double getSessionTimeMean()
@ManagedAttribute(value="standard deviation a session remained valid (in s)") public double getSessionTimeStdDev()
@ManagedAttribute(value="check remote session id encoding") public boolean isCheckingRemoteSessionIdEncoding()
public void setCheckingRemoteSessionIdEncoding(boolean remote)
remote
- True if absolute URLs are check for remoteness before being session encoded.public void renewSessionId(String oldId, String oldExtendedId, String newId, String newExtendedId)
oldId
- the old session idoldExtendedId
- the session id including worker suffixnewId
- the new session idnewExtendedId
- the new session id including worker suffixpublic void invalidate(String id)
id
- the session id to invalidatepublic void scavenge()
@Deprecated public void sessionInactivityTimerExpired(Session session)
public void sessionInactivityTimerExpired(Session session, long now)
session
- the sessionnow
- the time at which to check for expirypublic boolean isIdInUse(String id) throws Exception
id
- identity of session to checktrue
if this manager knows about this idException
- if any error occurredpublic Scheduler getScheduler()
public void doSessionAttributeListeners(Session session, String name, Object old, Object value)
public void doScope(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextScope(String, Request, HttpServletRequest, HttpServletResponse)
doScope
in class ScopedHandler
target
- The target of the request - either a URI or a name.baseRequest
- The original unwrapped request object.request
- The request either as the Request
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getRequest()
method can be used access the Request object if required.response
- The response as the Response
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getResponse()
method can be used access the Response object if required.IOException
- if unable to handle the request or response processingServletException
- if unable to handle the request or response due to underlying servlet issuepublic void doHandle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextHandle(String, Request, HttpServletRequest, HttpServletResponse)
doHandle
in class ScopedHandler
target
- The target of the request - either a URI or a name.baseRequest
- The original unwrapped request object.request
- The request either as the Request
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getRequest()
method can be used access the Request object if required.response
- The response as the Response
object or a wrapper of that request. The
HttpConnection.getCurrentConnection()
.getHttpChannel()
.getResponse()
method can be used access the Response object if required.IOException
- if unable to handle the request or response processingServletException
- if unable to handle the request or response due to underlying servlet issuepublic String toString()
toString
in class AbstractLifeCycle
Object.toString()
Copyright © 2010 - 2020 Adobe. All Rights Reserved