details: https://code.openbravo.com/erp/devel/pi/rev/921b3de9e420 changeset: 32307:921b3de9e420 user: Martin Taal <martin.taal <at> openbravo.com> date: Wed Jun 14 08:48:29 2017 +0200 summary: Fixes issue 36250: Log if a stateless service creates a session Check if a session was present and if not if it got created, if so log a message
diffstat: src/org/openbravo/base/secureApp/HttpSecureAppServlet.java | 7 +++++++ src/org/openbravo/service/web/BaseWebServiceServlet.java | 14 ++++++++++++++ 2 files changed, 21 insertions(+), 0 deletions(-) diffs (62 lines): diff -r f33a32b03c29 -r 921b3de9e420 src/org/openbravo/base/secureApp/HttpSecureAppServlet.java --- a/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Mon Jun 12 16:11:08 2017 -0400 +++ b/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Wed Jun 14 08:48:29 2017 +0200 @@ -166,6 +166,8 @@ public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { + final boolean sessionExists = request.getSession(false) != null; + AllowedCrossDomainsHandler.getInstance().setCORSHeaders(request, response); // don't process any further requests otherwise sessions are created for OPTIONS @@ -363,6 +365,11 @@ logout(request, response); return; } finally { + final boolean sessionCreated = !sessionExists && null != request.getSession(false); + if (AuthenticationManager.isStatelessRequest(request) && sessionCreated) { + log4j.warn("Stateless request, still a session was created " + request.getRequestURL() + + " " + request.getQueryString()); + } OBContext.restorePreviousMode(); } diff -r f33a32b03c29 -r 921b3de9e420 src/org/openbravo/service/web/BaseWebServiceServlet.java --- a/src/org/openbravo/service/web/BaseWebServiceServlet.java Mon Jun 12 16:11:08 2017 -0400 +++ b/src/org/openbravo/service/web/BaseWebServiceServlet.java Wed Jun 14 08:48:29 2017 +0200 @@ -62,6 +62,8 @@ protected final void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + final boolean sessionExists = request.getSession(false) != null; + // do the login action AuthenticationManager authManager = AuthenticationManager.getAuthenticationManager(this); @@ -85,6 +87,12 @@ try { userId = authManager.webServiceAuthenticate(request); } catch (AuthenticationException e) { + final boolean sessionCreated = !sessionExists && null != request.getSession(false); + if (sessionCreated && AuthenticationManager.isStatelessRequest(request)) { + log4j.warn("Stateless request, still a session was created " + request.getRequestURL() + + " " + request.getQueryString()); + } + response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setContentType("text/plain;charset=UTF-8"); final Writer w = response.getWriter(); @@ -100,6 +108,12 @@ try { doService(request, response); } finally { + final boolean sessionCreated = !sessionExists && null != request.getSession(false); + if (sessionCreated && AuthenticationManager.isStatelessRequest(request)) { + log.warn("Stateless request, still a session was created " + request.getRequestURL() + + " " + request.getQueryString()); + } + HttpSession session = request.getSession(false); if (session != null) { // HttpSession for WS should typically expire fast ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits