details: https://code.openbravo.com/erp/devel/pi/rev/921b3de9e420
changeset: 32307:921b3de9e420
user: Martin Taal <martin.taal <at> openbravo.com>
date: Wed Jun 14 08:48:29 2017 +0200
summary: Fixes issue 36250: Log if a stateless service creates a session
Check if a session was present and if not if it got created, if so log a message
diffstat:
src/org/openbravo/base/secureApp/HttpSecureAppServlet.java | 7 +++++++
src/org/openbravo/service/web/BaseWebServiceServlet.java | 14 ++++++++++++++
2 files changed, 21 insertions(+), 0 deletions(-)
diffs (62 lines):
diff -r f33a32b03c29 -r 921b3de9e420
src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
--- a/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Mon Jun
12 16:11:08 2017 -0400
+++ b/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Wed Jun
14 08:48:29 2017 +0200
@@ -166,6 +166,8 @@
public void service(HttpServletRequest request, HttpServletResponse
response) throws IOException,
ServletException {
+ final boolean sessionExists = request.getSession(false) != null;
+
AllowedCrossDomainsHandler.getInstance().setCORSHeaders(request, response);
// don't process any further requests otherwise sessions are created for
OPTIONS
@@ -363,6 +365,11 @@
logout(request, response);
return;
} finally {
+ final boolean sessionCreated = !sessionExists && null !=
request.getSession(false);
+ if (AuthenticationManager.isStatelessRequest(request) && sessionCreated)
{
+ log4j.warn("Stateless request, still a session was created " +
request.getRequestURL()
+ + " " + request.getQueryString());
+ }
OBContext.restorePreviousMode();
}
diff -r f33a32b03c29 -r 921b3de9e420
src/org/openbravo/service/web/BaseWebServiceServlet.java
--- a/src/org/openbravo/service/web/BaseWebServiceServlet.java Mon Jun 12
16:11:08 2017 -0400
+++ b/src/org/openbravo/service/web/BaseWebServiceServlet.java Wed Jun 14
08:48:29 2017 +0200
@@ -62,6 +62,8 @@
protected final void service(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
+ final boolean sessionExists = request.getSession(false) != null;
+
// do the login action
AuthenticationManager authManager =
AuthenticationManager.getAuthenticationManager(this);
@@ -85,6 +87,12 @@
try {
userId = authManager.webServiceAuthenticate(request);
} catch (AuthenticationException e) {
+ final boolean sessionCreated = !sessionExists && null !=
request.getSession(false);
+ if (sessionCreated && AuthenticationManager.isStatelessRequest(request))
{
+ log4j.warn("Stateless request, still a session was created " +
request.getRequestURL()
+ + " " + request.getQueryString());
+ }
+
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setContentType("text/plain;charset=UTF-8");
final Writer w = response.getWriter();
@@ -100,6 +108,12 @@
try {
doService(request, response);
} finally {
+ final boolean sessionCreated = !sessionExists && null !=
request.getSession(false);
+ if (sessionCreated &&
AuthenticationManager.isStatelessRequest(request)) {
+ log.warn("Stateless request, still a session was created " +
request.getRequestURL()
+ + " " + request.getQueryString());
+ }
+
HttpSession session = request.getSession(false);
if (session != null) {
// HttpSession for WS should typically expire fast
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits
