Author: markt
Date: Mon Jan 12 13:18:54 2009
New Revision: 733899
URL: http://svn.apache.org/viewvc?rev=733899&view=rev
Log:
Update SSL Session handling based on Filip's comments. HTTP session
invalidation is now separate from SSLSession validation. The hooks remain to
invalidate the SSL session if required.
Modified:
tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
tomcat/trunk/java/org/apache/catalina/session/Constants.java
tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/trunk/java/org/apache/coyote/ActionCode.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Mon Jan
12 13:18:54 2009
@@ -524,8 +524,7 @@
if (request.getRequestedSessionId() == null &&
SSL_ONLY.equals(request.getServletContext()
.getEffectiveSessionTrackingModes()) &&
- Boolean.TRUE.equals(
- request.getConnector().getAttribute("SSLEnabled"))) {
+ request.connector.secure) {
// TODO Is there a better way to map SSL sessions to our sesison
ID?
// TODO The request.getAttribute() will cause a number of other SSL
// attribute to be populated. Is this a performance concern?
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Mon Jan 12
13:18:54 2009
@@ -925,6 +925,10 @@
if(attr != null) {
attributes.put(Globals.SSL_SESSION_ID_ATTR, attr);
}
+ attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR);
+ if(attr != null) {
+ attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr);
+ }
attr = attributes.get(name);
}
return attr;
@@ -938,7 +942,8 @@
return Globals.CERTIFICATES_ATTR.equals(name) ||
Globals.CIPHER_SUITE_ATTR.equals(name) ||
Globals.KEY_SIZE_ATTR.equals(name) ||
- Globals.SSL_SESSION_ID_ATTR.equals(name);
+ Globals.SSL_SESSION_ID_ATTR.equals(name) ||
+ Globals.SSL_SESSION_MGR_ATTR.equals(name);
}
/**
@@ -2403,13 +2408,6 @@
if ((connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
session = manager.createSession(getRequestedSessionId());
- if (requestedSessionSSL) {
- coyoteRequest.action(ActionCode.ACTION_REQ_SSL_SESSION_MGR,
- null);
- session.setNote(
- org.apache.catalina.session.Constants.SESS_SSL_MGMT,
- getAttribute(Globals.SSL_SESSION_MGR_ATTR));
- }
} else {
session = manager.createSession(null);
}
Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java Mon Jan
12 13:18:54 2009
@@ -864,7 +864,7 @@
* SessionTrackingMode#COOKIE} is supported unless the <code>cookies</code>
* attribute has been set to <code>false</code> for the context and
{...@link
* SessionTrackingMode#SSL} is supported if at least one of the connectors
- * used by this context has the attribute <code>SSLEnabled</code> set to
+ * used by this context has the attribute <code>secure</code> set to
* <code>true</code>.
*/
public EnumSet<SessionTrackingMode> getDefaultSessionTrackingModes() {
@@ -887,7 +887,7 @@
// TODO extend this for SSL sessions managed by accelerators, web
// servers etc
for (Connector connector : connectors) {
- if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
+ if (Boolean.TRUE.equals(connector.getAttribute("secure"))) {
defaultSessionTrackingModes.add(SessionTrackingMode.SSL);
break;
}
@@ -1123,4 +1123,4 @@
}
-}
+}
\ No newline at end of file
Modified: tomcat/trunk/java/org/apache/catalina/session/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/Constants.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/Constants.java Mon Jan 12
13:18:54 2009
@@ -29,10 +29,4 @@
public static final String Package = "org.apache.catalina.session";
- /**
- * Name of note containing SSL session manager
- */
- public static final String SESS_SSL_MGMT =
- "org.apache.catalina.session.SSL_MGMT";
-
}
Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Mon Jan 12
13:18:54 2009
@@ -53,7 +53,6 @@
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.modeler.Registry;
-import org.apache.tomcat.util.net.SSLSessionManager;
/**
@@ -908,12 +907,6 @@
public void remove(Session session) {
sessions.remove(session.getIdInternal());
- // Close the underlying SSL session
- SSLSessionManager mgr =
- (SSLSessionManager) session.getNote(Constants.SESS_SSL_MGMT);
- if (mgr != null) {
- mgr.invalidateSession();
- }
}
Modified: tomcat/trunk/java/org/apache/coyote/ActionCode.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ActionCode.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ActionCode.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ActionCode.java Mon Jan 12 13:18:54 2009
@@ -163,12 +163,6 @@
*/
public static final ActionCode ACTION_COMET_SETTIMEOUT = new
ActionCode(25);
- /**
- * Callback for lazy evaluation - obtain the SSL Session Manager
- */
- public static final ActionCode ACTION_REQ_SSL_SESSION_MGR =
- new ActionCode(26);
-
// ----------------------------------------------------------- Constructors
int code;
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java Mon Jan
12 13:18:54 2009
@@ -1141,6 +1141,8 @@
if (sslO != null) {
request.setAttribute(AprEndpoint.SESSION_ID_KEY, sslO);
}
+ //TODO provide a hook to enable the SSL session to be
+ // invalidated. Set AprEndpoint.SESSION_MGR req attr
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
}
@@ -1198,9 +1200,6 @@
//no op
} else if (actionCode == ActionCode.ACTION_COMET_SETTIMEOUT) {
//no op
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- //TODO SERVLET3 provide a hook to enable the SSL session to be
- // invalidated
}
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11NioProcessor.java Mon Jan
12 13:18:54 2009
@@ -1175,6 +1175,7 @@
if (sslO != null)
request.setAttribute
(SSLSupport.SESSION_ID_KEY, sslO);
+ request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
@@ -1236,10 +1237,6 @@
RequestInfo rp = request.getRequestProcessor();
if ( rp.getStage() != org.apache.coyote.Constants.STAGE_SERVICE )
//async handling
attach.setTimeout(timeout);
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- if( sslSupport != null) {
- request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
- }
}
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon Jan 12
13:18:54 2009
@@ -1012,6 +1012,7 @@
if (sslO != null)
request.setAttribute
(SSLSupport.SESSION_ID_KEY, sslO);
+ request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
@@ -1105,10 +1106,6 @@
InternalInputBuffer internalBuffer = (InternalInputBuffer)
request.getInputBuffer();
internalBuffer.addActiveFilter(savedBody);
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- if( sslSupport != null) {
- request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
- }
}
}
Modified: tomcat/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssl-howto.xml?rev=733899&r1=733898&r2=733899&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssl-howto.xml Mon Jan 12 13:18:54 2009
@@ -638,25 +638,18 @@
</section>
<section name="Using the SSL for session tracking in your application">
- <p>This is a new feature in the Servlet 3.0 specification. Because is uses
the
- SSL session ID associated with the physical client server connection there
- are a number of limitations. They are:
+ <p>This is a new feature in the Servlet 3.0 specification. Because it uses
the
+ SSL session ID associated with the physical client-server connection there
+ are some limitations. They are:
<ul>
- <li>The SSL connection must be managed by Tomcat, i.e. Tomcat must have a
- connector with the attribute <strong>SSLEnabled</strong> set to
- <code>true</code>. This is to enable Tomcat to invalidate the SSL
- session if the HTTP session is invalidated. If SSL conections are
- managed by a proxy or a hardware accelerator this is not
possibe.</li>
- <li>It cannot be used in conjunction with session replication as the SSL
- session IDs will be different on each node.</li>
- <li>When <code>session.invalidate()</code> is called within the
application
- <code>response.setHeader("Connection", "close")</code> must also be
- called as invalidating the session does not affect any current
- connections.</li>
- <li>HTTP session timeouts, keep-alive timeouts and SSL session timeouts
- should be consistent. Note that the default JSSE SSL session timeout
- (24 hours) is significantly longer than the default Tomcat HTTP
Sesson
- timeout (30 minutes).</li>
+ <li>Tomcat must have a connector with the attribute
+ <strong>isSecure</strong> set to <code>true</code>.</li>
+ <li>If SSL conections are managed by a proxy or a hardware accelerator
+ they must populate the SSL request headers (see the SSLValve) so that
+ the SSL session ID is visibale to Tomcat.</li>
+ <li>If Tomcat terminates the SSL connection, it will not be possible to
use
+ session replication as the SSL session IDs will be different on each
+ node.</li>
</ul>
</p>
@@ -709,8 +702,28 @@
For additional discussion on this area, please see
<a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=22679";>Bugzilla</a>.
</p>
+
+ <p>To terminate an SSL session, use:
+ <source>
+// Standard HTTP session invalidation
+session.invalidate();
+
+// Invalidate the SSL Session
+org.apache.tomcat.util.net.SSLSessionManager mgr =
+ (org.apache.tomcat.util.net.SSLSessionManager)
+ request.getAttribute("javax.servlet.request.ssl_session_mgr");
+mgr.invalidateSession();
+
+// Close the conection since the SSL session will be active until the
connection
+// is closed
+response.setHeader("Connection", "close");
+ </source>
+ Note that this code is Tomcat specific due to the use of the
+ SSLSessionManager class. This is currently only available for the BIO and
+ NIO conenctors, not the APR/native connector.
+ </p>
</section>
</body>
-</document>
+</document>
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
