Handler
, HandlerContainer
, org.eclipse.jetty.util.component.Destroyable
, org.eclipse.jetty.util.component.LifeCycle
public class SessionHandler extends ScopedHandler
Modifier and Type | Class | Description |
---|---|---|
class |
SessionHandler.CookieConfig |
CookieConfig
Implementation of the javax.servlet.SessionCookieConfig.
|
class |
SessionHandler.SessionAsyncListener |
SessionAsyncListener
Used to ensure that a request for which async has been started
has its session completed as the request exits the context.
|
static interface |
SessionHandler.SessionIf |
SessionIf
Interface that any session wrapper should implement so that
SessionManager may access the Jetty session implementation.
|
AbstractHandler.ErrorDispatchHandler
org.eclipse.jetty.util.component.AbstractLifeCycle.AbstractLifeCycleListener
Modifier and Type | Field | Description |
---|---|---|
static java.lang.String |
__CheckRemoteSessionEncoding |
|
static java.lang.String |
__DefaultSessionCookie |
|
static java.lang.String |
__DefaultSessionDomain |
|
static java.lang.String |
__DefaultSessionIdPathParameterName |
|
java.util.Set<javax.servlet.SessionTrackingMode> |
__defaultSessionTrackingModes |
|
static java.lang.String |
__MaxAgeProperty |
Session Max Age.
|
static java.lang.String |
__SessionCookieProperty |
Session cookie name.
|
static java.lang.String |
__SessionDomainProperty |
Session Domain.
|
static java.lang.String |
__SessionIdPathParameterNameProperty |
Session id path parameter name.
|
static java.lang.String |
__SessionPathProperty |
Session Path.
|
protected org.eclipse.jetty.util.ConcurrentHashSet<java.lang.String> |
_candidateSessionIdsForExpiry |
|
protected boolean |
_checkingRemoteSessionIdEncoding |
|
protected ContextHandler.Context |
_context |
|
protected int |
_dftMaxIdleSecs |
Setting of max inactive interval for new sessions
-1 means no timeout
|
protected boolean |
_httpOnly |
|
protected java.lang.ClassLoader |
_loader |
|
protected int |
_maxCookieAge |
|
protected boolean |
_nodeIdInSessionId |
|
protected boolean |
_ownScheduler |
|
protected int |
_refreshCookieAge |
|
protected org.eclipse.jetty.util.thread.Scheduler |
_scheduler |
|
protected boolean |
_secureCookies |
|
protected boolean |
_secureRequestOnly |
|
protected java.util.List<javax.servlet.http.HttpSessionAttributeListener> |
_sessionAttributeListeners |
|
protected SessionCache |
_sessionCache |
|
protected java.lang.String |
_sessionComment |
|
protected SessionContext |
_sessionContext |
|
protected java.lang.String |
_sessionCookie |
|
protected java.lang.String |
_sessionDomain |
|
protected java.util.List<javax.servlet.http.HttpSessionIdListener> |
_sessionIdListeners |
|
protected SessionIdManager |
_sessionIdManager |
|
protected java.lang.String |
_sessionIdPathParameterName |
|
protected java.lang.String |
_sessionIdPathParameterNamePrefix |
|
protected java.util.List<javax.servlet.http.HttpSessionListener> |
_sessionListeners |
|
protected java.lang.String |
_sessionPath |
|
protected org.eclipse.jetty.util.statistic.CounterStatistic |
_sessionsCreatedStats |
|
protected org.eclipse.jetty.util.statistic.SampleStatistic |
_sessionTimeStats |
|
java.util.Set<javax.servlet.SessionTrackingMode> |
_sessionTrackingModes |
|
protected boolean |
_usingCookies |
|
protected boolean |
_usingURLs |
|
static java.util.EnumSet<javax.servlet.SessionTrackingMode> |
DEFAULT_TRACKING |
|
static java.math.BigDecimal |
MAX_INACTIVE_MINUTES |
Web.xml session-timeout is set in minutes, but is stored as an int in seconds by HttpSession and
the sessionmanager.
|
static java.lang.Class<? extends java.util.EventListener>[] |
SESSION_LISTENER_TYPES |
FAILED, RUNNING, STARTED, STARTING, STOPPED, STOPPING
_handler
_nextScope, _outerScope
Constructor | Description |
---|---|
SessionHandler() |
Constructor.
|
Modifier and Type | Method | Description |
---|---|---|
org.eclipse.jetty.http.HttpCookie |
access(javax.servlet.http.HttpSession session,
boolean secure) |
Called by the
SessionHandler when a session is first accessed by a request. |
void |
addEventListener(java.util.EventListener listener) |
Adds an event listener for session-related events.
|
protected void |
checkRequestedSessionId(Request baseRequest,
javax.servlet.http.HttpServletRequest request) |
Look for a requested session ID in cookies and URI parameters
|
void |
clearEventListeners() |
Removes all event listeners for session-related events.
|
void |
complete(javax.servlet.http.HttpSession session) |
Called by the
SessionHandler when a session is last accessed by a request. |
void |
complete(Session session,
Request request) |
|
void |
doHandle(java.lang.String target,
Request baseRequest,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
Do the handler work within the scope.
|
void |
doScope(java.lang.String target,
Request baseRequest,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
Scope the handler
|
void |
doSessionAttributeListeners(Session session,
java.lang.String name,
java.lang.Object old,
java.lang.Object value) |
|
protected void |
doStart() |
|
protected void |
doStop() |
|
java.util.Set<javax.servlet.SessionTrackingMode> |
getDefaultSessionTrackingModes() |
|
java.util.Set<javax.servlet.SessionTrackingMode> |
getEffectiveSessionTrackingModes() |
|
java.lang.String |
getExtendedId(javax.servlet.http.HttpSession session) |
|
boolean |
getHttpOnly() |
|
javax.servlet.http.HttpSession |
getHttpSession(java.lang.String extendedId) |
Returns the
HttpSession with the given session id |
java.lang.String |
getId(javax.servlet.http.HttpSession session) |
|
int |
getMaxCookieAge() |
|
int |
getMaxInactiveInterval() |
|
int |
getRefreshCookieAge() |
|
org.eclipse.jetty.util.thread.Scheduler |
getScheduler() |
|
boolean |
getSecureCookies() |
|
Session |
getSession(java.lang.String id) |
Get a known existing session
|
SessionCache |
getSessionCache() |
|
java.lang.String |
getSessionCookie() |
|
org.eclipse.jetty.http.HttpCookie |
getSessionCookie(javax.servlet.http.HttpSession session,
java.lang.String contextPath,
boolean requestIsSecure) |
A session cookie is marked as secure IFF any of the following conditions are true:
SessionCookieConfig.setSecure == true
SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS
According to SessionCookieConfig javadoc, case 1 can be used when:
"...
|
javax.servlet.SessionCookieConfig |
getSessionCookieConfig() |
|
java.lang.String |
getSessionDomain() |
|
SessionIdManager |
getSessionIdManager() |
Gets the cross context session id manager
|
java.lang.String |
getSessionIdPathParameterName() |
|
java.lang.String |
getSessionIdPathParameterNamePrefix() |
|
java.lang.String |
getSessionPath() |
|
int |
getSessionsCreated() |
|
long |
getSessionTimeMax() |
|
double |
getSessionTimeMean() |
|
double |
getSessionTimeStdDev() |
|
long |
getSessionTimeTotal() |
|
void |
invalidate(java.lang.String id) |
Called when a session has expired.
|
boolean |
isCheckingRemoteSessionIdEncoding() |
|
boolean |
isIdInUse(java.lang.String id) |
Check if id is in use by this context
|
boolean |
isNodeIdInSessionId() |
|
boolean |
isSecureRequestOnly() |
|
boolean |
isUsingCookies() |
|
boolean |
isUsingURLs() |
|
boolean |
isValid(javax.servlet.http.HttpSession session) |
|
javax.servlet.http.HttpSession |
newHttpSession(javax.servlet.http.HttpServletRequest request) |
Creates a new
HttpSession . |
void |
removeEventListener(java.util.EventListener listener) |
Removes an event listener for for session-related events.
|
Session |
removeSession(java.lang.String id,
boolean invalidate) |
Remove session from manager
|
void |
renewSessionId(java.lang.String oldId,
java.lang.String oldExtendedId,
java.lang.String newId,
java.lang.String newExtendedId) |
Change the existing session id.
|
void |
scavenge() |
Called periodically by the HouseKeeper to handle the list of
sessions that have expired since the last call to scavenge.
|
void |
sessionInactivityTimerExpired(Session session) |
Each session has a timer that is configured to go off
when either the session has not been accessed for a
configurable amount of time, or the session itself
has passed its expiry.
|
void |
setCheckingRemoteSessionIdEncoding(boolean remote) |
|
void |
setHttpOnly(boolean httpOnly) |
|
void |
setMaxInactiveInterval(int seconds) |
Sets the max period of inactivity, after which the session is invalidated, in seconds.
|
void |
setNodeIdInSessionId(boolean nodeIdInSessionId) |
|
void |
setRefreshCookieAge(int ageInSeconds) |
|
void |
setSecureRequestOnly(boolean secureRequestOnly) |
HTTPS request.
|
void |
setSessionCache(SessionCache cache) |
|
void |
setSessionCookie(java.lang.String cookieName) |
|
void |
setSessionIdManager(SessionIdManager metaManager) |
|
void |
setSessionIdPathParameterName(java.lang.String param) |
Sets the session id URL path parameter name.
|
void |
setSessionTrackingModes(java.util.Set<javax.servlet.SessionTrackingMode> sessionTrackingModes) |
|
void |
setUsingCookies(boolean usingCookies) |
|
protected void |
shutdownSessions() |
Prepare sessions for session manager shutdown
|
void |
statsReset() |
Reset statistics values
|
java.lang.String |
toString() |
doError, dumpThis, getServer
expandHandler, findContainerOf, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass, setServer
addLifeCycleListener, getState, getState, getStopTimeout, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
addBean, addBean, addBean, addEventListener, addManaged, contains, dump, dump, dump, dump, dump, dumpBeans, dumpObject, dumpStdErr, getBean, getBeans, getBeans, isManaged, manage, removeBean, removeBeans, removeEventListener, setBeans, setStopTimeout, start, stop, unmanage, updateBean, updateBean, updateBeans
destroy, expandChildren, getHandler, getHandlers, insertHandler, setHandler
addLifeCycleListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeLifeCycleListener, start, stop
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
handle, nextHandle, nextScope
public static final java.util.EnumSet<javax.servlet.SessionTrackingMode> DEFAULT_TRACKING
public static final java.lang.String __SessionCookieProperty
JSESSIONID
, but can be set with the
org.eclipse.jetty.servlet.SessionCookie
context init parameter.public static final java.lang.String __DefaultSessionCookie
public static final java.lang.String __SessionIdPathParameterNameProperty
jsessionid
, but can be set with the
org.eclipse.jetty.servlet.SessionIdPathParameterName
context init parameter.
If set to null or "none" no URL rewriting will be done.public static final java.lang.String __DefaultSessionIdPathParameterName
public static final java.lang.String __CheckRemoteSessionEncoding
public static final java.lang.String __SessionDomainProperty
public static final java.lang.String __DefaultSessionDomain
public static final java.lang.String __SessionPathProperty
public static final java.lang.String __MaxAgeProperty
public java.util.Set<javax.servlet.SessionTrackingMode> __defaultSessionTrackingModes
public static final java.lang.Class<? extends java.util.EventListener>[] SESSION_LISTENER_TYPES
public static final java.math.BigDecimal MAX_INACTIVE_MINUTES
protected int _dftMaxIdleSecs
protected boolean _httpOnly
protected SessionIdManager _sessionIdManager
protected boolean _secureCookies
protected boolean _secureRequestOnly
protected final java.util.List<javax.servlet.http.HttpSessionAttributeListener> _sessionAttributeListeners
protected final java.util.List<javax.servlet.http.HttpSessionListener> _sessionListeners
protected final java.util.List<javax.servlet.http.HttpSessionIdListener> _sessionIdListeners
protected java.lang.ClassLoader _loader
protected ContextHandler.Context _context
protected SessionContext _sessionContext
protected java.lang.String _sessionCookie
protected java.lang.String _sessionIdPathParameterName
protected java.lang.String _sessionIdPathParameterNamePrefix
protected java.lang.String _sessionDomain
protected java.lang.String _sessionPath
protected int _maxCookieAge
protected int _refreshCookieAge
protected boolean _nodeIdInSessionId
protected boolean _checkingRemoteSessionIdEncoding
protected java.lang.String _sessionComment
protected SessionCache _sessionCache
protected final org.eclipse.jetty.util.statistic.SampleStatistic _sessionTimeStats
protected final org.eclipse.jetty.util.statistic.CounterStatistic _sessionsCreatedStats
public java.util.Set<javax.servlet.SessionTrackingMode> _sessionTrackingModes
protected boolean _usingURLs
protected boolean _usingCookies
protected org.eclipse.jetty.util.ConcurrentHashSet<java.lang.String> _candidateSessionIdsForExpiry
protected org.eclipse.jetty.util.thread.Scheduler _scheduler
protected boolean _ownScheduler
@ManagedAttribute("path of the session cookie, or null for default") public java.lang.String getSessionPath()
@ManagedAttribute("if greater the zero, the time in seconds a session cookie will last for") public int getMaxCookieAge()
public org.eclipse.jetty.http.HttpCookie access(javax.servlet.http.HttpSession session, boolean secure)
SessionHandler
when a session is first accessed by a request.session
- the session objectsecure
- whether the request is secure or notcomplete(HttpSession)
public void addEventListener(java.util.EventListener listener)
listener
- the session event listener to add
Individual SessionManagers implementations may accept arbitrary listener types,
but they are expected to at least handle HttpSessionActivationListener,
HttpSessionAttributeListener, HttpSessionBindingListener and HttpSessionListener.removeEventListener(EventListener)
public void clearEventListeners()
removeEventListener(EventListener)
public void complete(javax.servlet.http.HttpSession session)
SessionHandler
when a session is last accessed by a request.session
- the session objectaccess(HttpSession, boolean)
protected void doStart() throws java.lang.Exception
doStart
in class ScopedHandler
java.lang.Exception
AbstractHandler.doStart()
protected void doStop() throws java.lang.Exception
doStop
in class AbstractHandler
java.lang.Exception
@ManagedAttribute("true if cookies use the http only flag") public boolean getHttpOnly()
HttpCookie.isHttpOnly()
public javax.servlet.http.HttpSession getHttpSession(java.lang.String extendedId)
HttpSession
with the given session idextendedId
- the session idHttpSession
with the corresponding id or null if no session with the given id exists@ManagedAttribute("Session ID Manager") public SessionIdManager getSessionIdManager()
@ManagedAttribute("default maximum time a session may be idle for (in s)") public int getMaxInactiveInterval()
setMaxInactiveInterval(int)
@ManagedAttribute("time before a session cookie is re-set (in s)") public int getRefreshCookieAge()
@ManagedAttribute("if true, secure cookie flag is set on session cookies") public boolean getSecureCookies()
public boolean isSecureRequestOnly()
public void setSecureRequestOnly(boolean secureRequestOnly)
secureRequestOnly
- true to set Session Cookie Config as secure@ManagedAttribute("the set session cookie") public java.lang.String getSessionCookie()
public org.eclipse.jetty.http.HttpCookie getSessionCookie(javax.servlet.http.HttpSession session, java.lang.String contextPath, boolean requestIsSecure)
For case 2, you can use _secureRequestOnly to determine if you want the Servlet Spec 3.0 default behavior when SessionCookieConfig.setSecure==false, which is: "they shall be marked as secure only if the request that initiated the corresponding session was also secure"
The default for _secureRequestOnly is true, which gives the above behavior. If you set it to false, then a session cookie is NEVER marked as secure, even if the initiating request was secure.
session
- the session to which the cookie should refer.contextPath
- the context to which the cookie should be linked.
The client will only send the cookie value when requesting resources under this path.requestIsSecure
- whether the client is accessing the server over a secure protocol (i.e. HTTPS).SessionManager
uses cookies, then this method will return a new
cookie object
that should be set on the client in order to link future HTTP requests
with the session
. If cookies are not in use, this method returns null
.@ManagedAttribute("domain of the session cookie, or null for the default") public java.lang.String getSessionDomain()
@ManagedAttribute("number of sessions created by this node") public int getSessionsCreated()
@ManagedAttribute("name of use for URL session tracking") public java.lang.String getSessionIdPathParameterName()
setSessionIdPathParameterName(String)
public java.lang.String getSessionIdPathParameterNamePrefix()
getSessionIdPathParameterName()
, by default
";" + sessionIdParameterName + "=", for easier lookup in URL strings.getSessionIdPathParameterName()
public boolean isUsingCookies()
public boolean isValid(javax.servlet.http.HttpSession session)
session
- the session to test for validitypublic java.lang.String getId(javax.servlet.http.HttpSession session)
session
- the session objectgetExtendedId(HttpSession)
public java.lang.String getExtendedId(javax.servlet.http.HttpSession session)
session
- the session objectgetId(HttpSession)
public javax.servlet.http.HttpSession newHttpSession(javax.servlet.http.HttpServletRequest request)
HttpSession
.request
- the HttpServletRequest containing the requested session idHttpSession
public void removeEventListener(java.util.EventListener listener)
listener
- the session event listener to removeaddEventListener(EventListener)
@ManagedOperation(value="reset statistics", impact="ACTION") public void statsReset()
public void setHttpOnly(boolean httpOnly)
httpOnly
- The httpOnly to set.public void setSessionIdManager(SessionIdManager metaManager)
metaManager
- The metaManager used for cross context session management.public void setMaxInactiveInterval(int seconds)
seconds
- the max inactivity period, in seconds.getMaxInactiveInterval()
public void setRefreshCookieAge(int ageInSeconds)
public void setSessionCookie(java.lang.String cookieName)
public void setSessionIdPathParameterName(java.lang.String param)
param
- the URL path parameter name for session id URL rewriting (null or "none" for no rewriting).getSessionIdPathParameterName()
,
getSessionIdPathParameterNamePrefix()
public void setUsingCookies(boolean usingCookies)
usingCookies
- The usingCookies to set.public Session getSession(java.lang.String id)
id
- The session ID stripped of any worker name.protected void shutdownSessions() throws java.lang.Exception
java.lang.Exception
- if unable to shutdown sesssionspublic SessionCache getSessionCache()
public void setSessionCache(SessionCache cache)
cache
- public boolean isNodeIdInSessionId()
HttpSession.getId()
. Default is false.public void setNodeIdInSessionId(boolean nodeIdInSessionId)
nodeIdInSessionId
- true if the cluster node id (worker id) will be returned as part of the session id by HttpSession.getId()
. Default is false.public Session removeSession(java.lang.String id, boolean invalidate)
id
- The session to removeinvalidate
- True if HttpSessionListener.sessionDestroyed(HttpSessionEvent)
and
SessionIdManager.expireAll(String)
should be called.@ManagedAttribute("maximum amount of time sessions have remained active (in s)") public long getSessionTimeMax()
public java.util.Set<javax.servlet.SessionTrackingMode> getDefaultSessionTrackingModes()
public java.util.Set<javax.servlet.SessionTrackingMode> getEffectiveSessionTrackingModes()
public void setSessionTrackingModes(java.util.Set<javax.servlet.SessionTrackingMode> sessionTrackingModes)
public boolean isUsingURLs()
public javax.servlet.SessionCookieConfig getSessionCookieConfig()
@ManagedAttribute("total time sessions have remained valid") public long getSessionTimeTotal()
@ManagedAttribute("mean time sessions remain valid (in s)") public double getSessionTimeMean()
@ManagedAttribute("standard deviation a session remained valid (in s)") public double getSessionTimeStdDev()
@ManagedAttribute("check remote session id encoding") public boolean isCheckingRemoteSessionIdEncoding()
public void setCheckingRemoteSessionIdEncoding(boolean remote)
remote
- True if absolute URLs are check for remoteness before being session encoded.public void renewSessionId(java.lang.String oldId, java.lang.String oldExtendedId, java.lang.String newId, java.lang.String newExtendedId)
oldId
- the old session idoldExtendedId
- the session id including worker suffixnewId
- the new session idnewExtendedId
- the new session id including worker suffixpublic void invalidate(java.lang.String id)
id
- the id to invalidatepublic void scavenge()
public void sessionInactivityTimerExpired(Session session)
session
- public boolean isIdInUse(java.lang.String id) throws java.lang.Exception
id
- identity of session to checkjava.lang.Exception
public org.eclipse.jetty.util.thread.Scheduler getScheduler()
public void doSessionAttributeListeners(Session session, java.lang.String name, java.lang.Object old, java.lang.Object value)
public void doScope(java.lang.String target, Request baseRequest, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextScope(String, Request, HttpServletRequest, HttpServletResponse)
doScope
in class ScopedHandler
java.io.IOException
javax.servlet.ServletException
public void doHandle(java.lang.String target, Request baseRequest, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException
ScopedHandler
Derived implementations should call ScopedHandler.nextHandle(String, Request, HttpServletRequest, HttpServletResponse)
doHandle
in class ScopedHandler
java.io.IOException
javax.servlet.ServletException
protected void checkRequestedSessionId(Request baseRequest, javax.servlet.http.HttpServletRequest request)
baseRequest
- the request to checkrequest
- the request to checkpublic java.lang.String toString()
toString
in class java.lang.Object
Object.toString()
Copyright © 1995–2018 Webtide. All rights reserved.