[ https://issues.apache.org/jira/browse/TINKERPOP-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yang Xia updated TINKERPOP-2782: -------------------------------- Affects Version/s: (was: 3.6.0) (was: 3.5.3) (was: 3.5.4) (was: 3.6.1) > WebSocketAuthorizationHandler does not transfer the request's sessionId, > needed in UnifiedHandler > ------------------------------------------------------------------------------------------------- > > Key: TINKERPOP-2782 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2782 > Project: TinkerPop > Issue Type: Bug > Components: server > Affects Versions: 3.5.2 > Reporter: Rusi Popov > Priority: Major > > When the gremlin-server.yaml configures the gremlin server to use the > UnifiedChannelizer with an explicit Authorizer: > {code:yaml} > channelizer: org.apache.tinkerpop.gremlin.server.channel.UnifiedChannelizer > authorization: > authorizer: <some class> > {code} > the UnifiedChannelizer registers > org.apache.tinkerpop.gremlin.server.handler.WebSocketAuthorizationHandler > before org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler in the > pipeline. > The WebSocketAuthorizationHandler uses the Authorizer to transform the > bytecode, builds a new request message with the transformed bytecode, and > pushes the new message down the pipeline for processing: > (in 3.6.1 these are lines 66-77) > {code:java} > case Tokens.OPS_BYTECODE: > final Bytecode bytecode = (Bytecode) > requestMessage.getArgs().get(Tokens.ARGS_GREMLIN); > final Map<String, String> aliases = (Map<String, String>) > requestMessage.getArgs().get(Tokens.ARGS_ALIASES); > final Bytecode restrictedBytecode = authorizer.authorize(user, bytecode, > aliases); > final RequestMessage restrictedMsg = > RequestMessage.build(Tokens.OPS_BYTECODE). > overrideRequestId(requestMessage.getRequestId()). > processor("traversal"). > addArg(Tokens.ARGS_GREMLIN, restrictedBytecode). > addArg(Tokens.ARGS_ALIASES, aliases).create(); > ctx.fireChannelRead(restrictedMsg); > break; > {code} > Next is the org.apache.tinkerpop.gremlin.server.handler.UnifiedHandler, which > uses session ID for session detection: > (lines 146-147) > {code:java} > final Optional<String> optMultiTaskSession = > msg.optionalArgs(Tokens.ARGS_SESSION); > final String sessionId = > optMultiTaskSession.orElse(msg.getRequestId().toString()); > {code} > *The problem:* > WebSocketAuthorizationHandler does not transfer the Tokens.ARGS_SESSION to > the UnifiedHandler so it uses request's ID as every time a new session ID > *Suggestion:* > in WebSocketAuthorizationHandler iterate on the args and copy every arg but > ARGS_GREMLIN, then set the latter to the restricted bytecode. -- This message was sent by Atlassian Jira (v8.20.10#820010)