if (request.getRequestedSessionId() == null &&
SSL_ONLY.equals(request.getServletContext()
.getEffectiveSessionTrackingModes()) &&
- Boolean.TRUE.equals(
- request.getConnector().getAttribute("SSLEnabled"))) {
+ request.connector.secure) {
// TODO Is there a better way to map SSL sessions to our sesison ID?
// TODO The request.getAttribute() will cause a number of other SSL
// attribute to be populated. Is this a performance concern?
if(attr != null) {
attributes.put(Globals.SSL_SESSION_ID_ATTR, attr);
}
+ attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR);
+ if(attr != null) {
+ attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr);
+ }
attr = attributes.get(name);
}
return attr;
return Globals.CERTIFICATES_ATTR.equals(name) ||
Globals.CIPHER_SUITE_ATTR.equals(name) ||
Globals.KEY_SIZE_ATTR.equals(name) ||
- Globals.SSL_SESSION_ID_ATTR.equals(name);
+ Globals.SSL_SESSION_ID_ATTR.equals(name) ||
+ Globals.SSL_SESSION_MGR_ATTR.equals(name);
}
/**
if ((connector.getEmptySessionPath()
&& isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
session = manager.createSession(getRequestedSessionId());
- if (requestedSessionSSL) {
- coyoteRequest.action(ActionCode.ACTION_REQ_SSL_SESSION_MGR,
- null);
- session.setNote(
- org.apache.catalina.session.Constants.SESS_SSL_MGMT,
- getAttribute(Globals.SSL_SESSION_MGR_ATTR));
- }
} else {
session = manager.createSession(null);
}
* SessionTrackingMode#COOKIE} is supported unless the <code>cookies</code>
* attribute has been set to <code>false</code> for the context and {@link
* SessionTrackingMode#SSL} is supported if at least one of the connectors
- * used by this context has the attribute <code>SSLEnabled</code> set to
+ * used by this context has the attribute <code>secure</code> set to
* <code>true</code>.
*/
public EnumSet<SessionTrackingMode> getDefaultSessionTrackingModes() {
// TODO extend this for SSL sessions managed by accelerators, web
// servers etc
for (Connector connector : connectors) {
- if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) {
+ if (Boolean.TRUE.equals(connector.getAttribute("secure"))) {
defaultSessionTrackingModes.add(SessionTrackingMode.SSL);
break;
}
}
-}
+}
\ No newline at end of file
public static final String Package = "org.apache.catalina.session";
- /**
- * Name of note containing SSL session manager
- */
- public static final String SESS_SSL_MGMT =
- "org.apache.catalina.session.SSL_MGMT";
-
}
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.modeler.Registry;
-import org.apache.tomcat.util.net.SSLSessionManager;
/**
public void remove(Session session) {
sessions.remove(session.getIdInternal());
- // Close the underlying SSL session
- SSLSessionManager mgr =
- (SSLSessionManager) session.getNote(Constants.SESS_SSL_MGMT);
- if (mgr != null) {
- mgr.invalidateSession();
- }
}
*/
public static final ActionCode ACTION_COMET_SETTIMEOUT = new ActionCode(25);
- /**
- * Callback for lazy evaluation - obtain the SSL Session Manager
- */
- public static final ActionCode ACTION_REQ_SSL_SESSION_MGR =
- new ActionCode(26);
-
// ----------------------------------------------------------- Constructors
int code;
if (sslO != null) {
request.setAttribute(AprEndpoint.SESSION_ID_KEY, sslO);
}
+ //TODO provide a hook to enable the SSL session to be
+ // invalidated. Set AprEndpoint.SESSION_MGR req attr
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
}
//no op
} else if (actionCode == ActionCode.ACTION_COMET_SETTIMEOUT) {
//no op
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- //TODO SERVLET3 provide a hook to enable the SSL session to be
- // invalidated
}
}
if (sslO != null)
request.setAttribute
(SSLSupport.SESSION_ID_KEY, sslO);
+ request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
RequestInfo rp = request.getRequestProcessor();
if ( rp.getStage() != org.apache.coyote.Constants.STAGE_SERVICE ) //async handling
attach.setTimeout(timeout);
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- if( sslSupport != null) {
- request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
- }
}
}
if (sslO != null)
request.setAttribute
(SSLSupport.SESSION_ID_KEY, sslO);
+ request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
InternalInputBuffer internalBuffer = (InternalInputBuffer)
request.getInputBuffer();
internalBuffer.addActiveFilter(savedBody);
- } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) {
- if( sslSupport != null) {
- request.setAttribute(SSLSupport.SESSION_MGR, sslSupport);
- }
}
}
</section>
<section name="Using the SSL for session tracking in your application">
- <p>This is a new feature in the Servlet 3.0 specification. Because is uses the
- SSL session ID associated with the physical client server connection there
- are a number of limitations. They are:
+ <p>This is a new feature in the Servlet 3.0 specification. Because it uses the
+ SSL session ID associated with the physical client-server connection there
+ are some limitations. They are:
<ul>
- <li>The SSL connection must be managed by Tomcat, i.e. Tomcat must have a
- connector with the attribute <strong>SSLEnabled</strong> set to
- <code>true</code>. This is to enable Tomcat to invalidate the SSL
- session if the HTTP session is invalidated. If SSL conections are
- managed by a proxy or a hardware accelerator this is not possibe.</li>
- <li>It cannot be used in conjunction with session replication as the SSL
- session IDs will be different on each node.</li>
- <li>When <code>session.invalidate()</code> is called within the application
- <code>response.setHeader("Connection", "close")</code> must also be
- called as invalidating the session does not affect any current
- connections.</li>
- <li>HTTP session timeouts, keep-alive timeouts and SSL session timeouts
- should be consistent. Note that the default JSSE SSL session timeout
- (24 hours) is significantly longer than the default Tomcat HTTP Sesson
- timeout (30 minutes).</li>
+ <li>Tomcat must have a connector with the attribute
+ <strong>isSecure</strong> set to <code>true</code>.</li>
+ <li>If SSL conections are managed by a proxy or a hardware accelerator
+ they must populate the SSL request headers (see the SSLValve) so that
+ the SSL session ID is visibale to Tomcat.</li>
+ <li>If Tomcat terminates the SSL connection, it will not be possible to use
+ session replication as the SSL session IDs will be different on each
+ node.</li>
</ul>
</p>
For additional discussion on this area, please see
<a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=22679">Bugzilla</a>.
</p>
+
+ <p>To terminate an SSL session, use:
+ <source>
+// Standard HTTP session invalidation
+session.invalidate();
+
+// Invalidate the SSL Session
+org.apache.tomcat.util.net.SSLSessionManager mgr =
+ (org.apache.tomcat.util.net.SSLSessionManager)
+ request.getAttribute("javax.servlet.request.ssl_session_mgr");
+mgr.invalidateSession();
+
+// Close the conection since the SSL session will be active until the connection
+// is closed
+response.setHeader("Connection", "close");
+ </source>
+ Note that this code is Tomcat specific due to the use of the
+ SSLSessionManager class. This is currently only available for the BIO and
+ NIO conenctors, not the APR/native connector.
+ </p>
</section>
</body>
-</document>
+</document>
\ No newline at end of file
projects / tomcat7.0 / commitdiff