From: markt Date: Mon, 12 Jan 2009 21:18:54 +0000 (+0000) Subject: Update SSL Session handling based on Filip's comments. HTTP session invalidation... X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b3833d6d95a5eeca0444581d07129b227b4d20f6;p=tomcat7.0 Update SSL Session handling based on Filip's comments. HTTP session invalidation is now separate from SSLSession validation. The hooks remain to invalidate the SSL session if required. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@733899 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java index 731b54034..4e2a6a8f1 100644 --- a/java/org/apache/catalina/connector/CoyoteAdapter.java +++ b/java/org/apache/catalina/connector/CoyoteAdapter.java @@ -524,8 +524,7 @@ public class CoyoteAdapter if (request.getRequestedSessionId() == null && SSL_ONLY.equals(request.getServletContext() .getEffectiveSessionTrackingModes()) && - Boolean.TRUE.equals( - request.getConnector().getAttribute("SSLEnabled"))) { + request.connector.secure) { // TODO Is there a better way to map SSL sessions to our sesison ID? // TODO The request.getAttribute() will cause a number of other SSL // attribute to be populated. Is this a performance concern? diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index 4438bf43f..a35f7a6f3 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -925,6 +925,10 @@ public class Request if(attr != null) { attributes.put(Globals.SSL_SESSION_ID_ATTR, attr); } + attr = coyoteRequest.getAttribute(Globals.SSL_SESSION_MGR_ATTR); + if(attr != null) { + attributes.put(Globals.SSL_SESSION_MGR_ATTR, attr); + } attr = attributes.get(name); } return attr; @@ -938,7 +942,8 @@ public class Request return Globals.CERTIFICATES_ATTR.equals(name) || Globals.CIPHER_SUITE_ATTR.equals(name) || Globals.KEY_SIZE_ATTR.equals(name) || - Globals.SSL_SESSION_ID_ATTR.equals(name); + Globals.SSL_SESSION_ID_ATTR.equals(name) || + Globals.SSL_SESSION_MGR_ATTR.equals(name); } /** @@ -2403,13 +2408,6 @@ public class Request if ((connector.getEmptySessionPath() && isRequestedSessionIdFromCookie()) || requestedSessionSSL ) { session = manager.createSession(getRequestedSessionId()); - if (requestedSessionSSL) { - coyoteRequest.action(ActionCode.ACTION_REQ_SSL_SESSION_MGR, - null); - session.setNote( - org.apache.catalina.session.Constants.SESS_SSL_MGMT, - getAttribute(Globals.SSL_SESSION_MGR_ATTR)); - } } else { session = manager.createSession(null); } diff --git a/java/org/apache/catalina/core/ApplicationContext.java b/java/org/apache/catalina/core/ApplicationContext.java index 81ae804e4..d5999fa20 100644 --- a/java/org/apache/catalina/core/ApplicationContext.java +++ b/java/org/apache/catalina/core/ApplicationContext.java @@ -864,7 +864,7 @@ public class ApplicationContext * SessionTrackingMode#COOKIE} is supported unless the cookies * attribute has been set to false for the context and {@link * SessionTrackingMode#SSL} is supported if at least one of the connectors - * used by this context has the attribute SSLEnabled set to + * used by this context has the attribute secure set to * true. */ public EnumSet getDefaultSessionTrackingModes() { @@ -887,7 +887,7 @@ public class ApplicationContext // TODO extend this for SSL sessions managed by accelerators, web // servers etc for (Connector connector : connectors) { - if (Boolean.TRUE.equals(connector.getAttribute("SSLEnabled"))) { + if (Boolean.TRUE.equals(connector.getAttribute("secure"))) { defaultSessionTrackingModes.add(SessionTrackingMode.SSL); break; } @@ -1123,4 +1123,4 @@ public class ApplicationContext } -} +} \ No newline at end of file diff --git a/java/org/apache/catalina/session/Constants.java b/java/org/apache/catalina/session/Constants.java index ca4b09aa0..24546879e 100644 --- a/java/org/apache/catalina/session/Constants.java +++ b/java/org/apache/catalina/session/Constants.java @@ -29,10 +29,4 @@ public class Constants { public static final String Package = "org.apache.catalina.session"; - /** - * Name of note containing SSL session manager - */ - public static final String SESS_SSL_MGMT = - "org.apache.catalina.session.SSL_MGMT"; - } diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index 5624c9a72..8f5749fcc 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -53,7 +53,6 @@ import org.apache.catalina.util.StringManager; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.modeler.Registry; -import org.apache.tomcat.util.net.SSLSessionManager; /** @@ -908,12 +907,6 @@ public abstract class ManagerBase implements Manager, MBeanRegistration { public void remove(Session session) { sessions.remove(session.getIdInternal()); - // Close the underlying SSL session - SSLSessionManager mgr = - (SSLSessionManager) session.getNote(Constants.SESS_SSL_MGMT); - if (mgr != null) { - mgr.invalidateSession(); - } } diff --git a/java/org/apache/coyote/ActionCode.java b/java/org/apache/coyote/ActionCode.java index eb55f760e..63642342c 100644 --- a/java/org/apache/coyote/ActionCode.java +++ b/java/org/apache/coyote/ActionCode.java @@ -163,12 +163,6 @@ public final class ActionCode { */ public static final ActionCode ACTION_COMET_SETTIMEOUT = new ActionCode(25); - /** - * Callback for lazy evaluation - obtain the SSL Session Manager - */ - public static final ActionCode ACTION_REQ_SSL_SESSION_MGR = - new ActionCode(26); - // ----------------------------------------------------------- Constructors int code; diff --git a/java/org/apache/coyote/http11/Http11AprProcessor.java b/java/org/apache/coyote/http11/Http11AprProcessor.java index 78446df8c..3a57faead 100644 --- a/java/org/apache/coyote/http11/Http11AprProcessor.java +++ b/java/org/apache/coyote/http11/Http11AprProcessor.java @@ -1141,6 +1141,8 @@ public class Http11AprProcessor implements ActionHook { if (sslO != null) { request.setAttribute(AprEndpoint.SESSION_ID_KEY, sslO); } + //TODO provide a hook to enable the SSL session to be + // invalidated. Set AprEndpoint.SESSION_MGR req attr } catch (Exception e) { log.warn(sm.getString("http11processor.socket.ssl"), e); } @@ -1198,9 +1200,6 @@ public class Http11AprProcessor implements ActionHook { //no op } else if (actionCode == ActionCode.ACTION_COMET_SETTIMEOUT) { //no op - } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) { - //TODO SERVLET3 provide a hook to enable the SSL session to be - // invalidated } } diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java index e6768c70f..38523b927 100644 --- a/java/org/apache/coyote/http11/Http11NioProcessor.java +++ b/java/org/apache/coyote/http11/Http11NioProcessor.java @@ -1175,6 +1175,7 @@ public class Http11NioProcessor implements ActionHook { if (sslO != null) request.setAttribute (SSLSupport.SESSION_ID_KEY, sslO); + request.setAttribute(SSLSupport.SESSION_MGR, sslSupport); } } catch (Exception e) { log.warn(sm.getString("http11processor.socket.ssl"), e); @@ -1236,10 +1237,6 @@ public class Http11NioProcessor implements ActionHook { RequestInfo rp = request.getRequestProcessor(); if ( rp.getStage() != org.apache.coyote.Constants.STAGE_SERVICE ) //async handling attach.setTimeout(timeout); - } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) { - if( sslSupport != null) { - request.setAttribute(SSLSupport.SESSION_MGR, sslSupport); - } } } diff --git a/java/org/apache/coyote/http11/Http11Processor.java b/java/org/apache/coyote/http11/Http11Processor.java index 05305880b..d593d55ec 100644 --- a/java/org/apache/coyote/http11/Http11Processor.java +++ b/java/org/apache/coyote/http11/Http11Processor.java @@ -1012,6 +1012,7 @@ public class Http11Processor implements ActionHook { if (sslO != null) request.setAttribute (SSLSupport.SESSION_ID_KEY, sslO); + request.setAttribute(SSLSupport.SESSION_MGR, sslSupport); } } catch (Exception e) { log.warn(sm.getString("http11processor.socket.ssl"), e); @@ -1105,10 +1106,6 @@ public class Http11Processor implements ActionHook { InternalInputBuffer internalBuffer = (InternalInputBuffer) request.getInputBuffer(); internalBuffer.addActiveFilter(savedBody); - } else if (actionCode == ActionCode.ACTION_REQ_SSL_SESSION_MGR) { - if( sslSupport != null) { - request.setAttribute(SSLSupport.SESSION_MGR, sslSupport); - } } } diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml index d4dcabea3..5a61d3d75 100644 --- a/webapps/docs/ssl-howto.xml +++ b/webapps/docs/ssl-howto.xml @@ -638,25 +638,18 @@ information, at
-

This is a new feature in the Servlet 3.0 specification. Because is uses the - SSL session ID associated with the physical client server connection there - are a number of limitations. They are: +

This is a new feature in the Servlet 3.0 specification. Because it uses the + SSL session ID associated with the physical client-server connection there + are some limitations. They are:

    -
  • The SSL connection must be managed by Tomcat, i.e. Tomcat must have a - connector with the attribute SSLEnabled set to - true. This is to enable Tomcat to invalidate the SSL - session if the HTTP session is invalidated. If SSL conections are - managed by a proxy or a hardware accelerator this is not possibe.
    • -
  • It cannot be used in conjunction with session replication as the SSL - session IDs will be different on each node.
    • -
  • When session.invalidate() is called within the application - response.setHeader("Connection", "close") must also be - called as invalidating the session does not affect any current - connections.
    • -
  • HTTP session timeouts, keep-alive timeouts and SSL session timeouts - should be consistent. Note that the default JSSE SSL session timeout - (24 hours) is significantly longer than the default Tomcat HTTP Sesson - timeout (30 minutes).
    • +
  • Tomcat must have a connector with the attribute + isSecure set to true.
    • +
  • If SSL conections are managed by a proxy or a hardware accelerator + they must populate the SSL request headers (see the SSLValve) so that + the SSL session ID is visibale to Tomcat.
    • +
  • If Tomcat terminates the SSL connection, it will not be possible to use + session replication as the SSL session IDs will be different on each + node.

@@ -709,8 +702,28 @@ public class SessionTrackingModeListener implements ServletContextListener { For additional discussion on this area, please see Bugzilla.

+ +

To terminate an SSL session, use: + +// Standard HTTP session invalidation +session.invalidate(); + +// Invalidate the SSL Session +org.apache.tomcat.util.net.SSLSessionManager mgr = + (org.apache.tomcat.util.net.SSLSessionManager) + request.getAttribute("javax.servlet.request.ssl_session_mgr"); +mgr.invalidateSession(); + +// Close the conection since the SSL session will be active until the connection +// is closed +response.setHeader("Connection", "close"); + + Note that this code is Tomcat specific due to the use of the + SSLSessionManager class. This is currently only available for the BIO and + NIO conenctors, not the APR/native connector. +

- + \ No newline at end of file