view src/org/eclipse/jetty/server/session/AbstractSessionIdManager.java @ 808:b3176fd168bf

replace use of jetty.util.B64Code with java.util.Base64
author Franklin Schmidt <fschmidt@gmail.com>
date Thu, 08 Sep 2016 16:13:27 -0600
parents 3428c60d7cfc
children
line wrap: on
line source

//
//  ========================================================================
//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
//  ------------------------------------------------------------------------
//  All rights reserved. This program and the accompanying materials
//  are made available under the terms of the Eclipse Public License v1.0
//  and Apache License v2.0 which accompanies this distribution.
//
//      The Eclipse Public License is available at
//      http://www.eclipse.org/legal/epl-v10.html
//
//      The Apache License v2.0 is available at
//      http://www.opensource.org/licenses/apache2.0.php
//
//  You may elect to redistribute this code under either of these licenses.
//  ========================================================================
//

package org.eclipse.jetty.server.session;

import java.security.SecureRandom;
import java.util.Random;

import javax.servlet.http.HttpServletRequest;

import org.eclipse.jetty.server.SessionIdManager;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

public abstract class AbstractSessionIdManager extends AbstractLifeCycle implements SessionIdManager
{
    private static final Logger LOG = Log.getLogger(AbstractSessionIdManager.class);

    private final static String __NEW_SESSION_ID="org.eclipse.jetty.server.newSessionId";  
    
    protected Random _random;
    protected boolean _weakRandom;
    protected String _workerName;
    protected long _reseed=100000L;
    
    /* ------------------------------------------------------------ */
    public AbstractSessionIdManager()
    {
    }
    
    /* ------------------------------------------------------------ */
    public AbstractSessionIdManager(Random random)
    {
        _random=random;
    }


    /* ------------------------------------------------------------ */
    /**
     * @return the reseed probability
     */
    public long getReseed()
    {
        return _reseed;
    }

    /* ------------------------------------------------------------ */
    /** Set the reseed probability.
     * @param reseed  If non zero then when a random long modulo the reseed value == 1, the {@link SecureRandom} will be reseeded.
     */
    public void setReseed(long reseed)
    {
        _reseed = reseed;
    }

    /* ------------------------------------------------------------ */
    /**
     * Get the workname. If set, the workername is dot appended to the session
     * ID and can be used to assist session affinity in a load balancer.
     * 
     * @return String or null
     */
    public String getWorkerName()
    {
        return _workerName;
    }

    /* ------------------------------------------------------------ */
    /**
     * Set the workname. If set, the workername is dot appended to the session
     * ID and can be used to assist session affinity in a load balancer.
     * 
     * @param workerName
     */
    public void setWorkerName(String workerName)
    {
        if (workerName.contains("."))
            throw new IllegalArgumentException("Name cannot contain '.'");
        _workerName=workerName;
    }

    /* ------------------------------------------------------------ */
    public Random getRandom()
    {
        return _random;
    }

    /* ------------------------------------------------------------ */
    public synchronized void setRandom(Random random)
    {
        _random=random;
        _weakRandom=false;
    }
    
    /* ------------------------------------------------------------ */
    /** 
     * Create a new session id if necessary.
     * 
     * @see org.eclipse.jetty.server.SessionIdManager#newSessionId(javax.servlet.http.HttpServletRequest, long)
     */
    public String newSessionId(HttpServletRequest request, long created)
    {
        synchronized (this)
        {
            if (request!=null)
            {
                // A requested session ID can only be used if it is in use already.
                String requested_id=request.getRequestedSessionId();
                if (requested_id!=null)
                {
                    String cluster_id=getClusterId(requested_id);
                    if (idInUse(cluster_id))
                        return cluster_id;
                }

                // Else reuse any new session ID already defined for this request.
                String new_id=(String)request.getAttribute(__NEW_SESSION_ID);
                if (new_id!=null&&idInUse(new_id))
                    return new_id;
            }
            
            // pick a new unique ID!
            String id=null;
            while (id==null||id.length()==0||idInUse(id))
            {
                long r0=_weakRandom
                ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
                :_random.nextLong();
                if (r0<0)
                    r0=-r0;

		// random chance to reseed
		if (_reseed>0 && (r0%_reseed)== 1L)
		{
		    LOG.debug("Reseeding {}",this);
		    if (_random instanceof SecureRandom)
		    {
			SecureRandom secure = (SecureRandom)_random;
			secure.setSeed(secure.generateSeed(8));
		    }
		    else
		    {
			_random.setSeed(_random.nextLong()^System.currentTimeMillis()^request.hashCode()^Runtime.getRuntime().freeMemory());
		    }
		}

                long r1=_weakRandom
                ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
                :_random.nextLong();
                if (r1<0)
                    r1=-r1;
                id=Long.toString(r0,36)+Long.toString(r1,36);
                
                //add in the id of the node to ensure unique id across cluster
                //NOTE this is different to the node suffix which denotes which node the request was received on
                if (_workerName!=null)
                    id=_workerName + id;
            }

            request.setAttribute(__NEW_SESSION_ID,id);
            return id;
        }
    }

    /* ------------------------------------------------------------ */
    @Override
    protected void doStart() throws Exception
    {
       initRandom();
    }
    
    /* ------------------------------------------------------------ */
    @Override
    protected void doStop() throws Exception
    {
    }
    
    /* ------------------------------------------------------------ */
    /**
     * Set up a random number generator for the sessionids.
     * 
     * By preference, use a SecureRandom but allow to be injected.
     */
    public void initRandom ()
    {
        if (_random==null)
        {
            try
            {
                _random=new SecureRandom();
            }
            catch (Exception e)
            {
                LOG.warn("Could not generate SecureRandom for session-id randomness",e);
                _random=new Random();
                _weakRandom=true;
            }
        }
        else
            _random.setSeed(_random.nextLong()^System.currentTimeMillis()^hashCode()^Runtime.getRuntime().freeMemory()); 
    }
    
    
}