From 9a1c22ec699a7dbd807621eabf32bb58d81b56eb Mon Sep 17 00:00:00 2001 From: maxcooper Date: Tue, 14 Feb 2006 09:28:27 +0000 Subject: [PATCH] bug#1056920: unsecured URLs get session objects - unit test and fix --- HISTORY | 10 ++- .../org/securityfilter/filter/SecurityFilter.java | 19 +++-- .../filter/SecurityRequestWrapper.java | 15 ++-- .../test/http/form/NoSessionForUnsecuredTest.java | 96 ++++++++++++++++++++++ web/share/index.jsp | 1 + 5 files changed, 127 insertions(+), 14 deletions(-) create mode 100644 src/test/org/securityfilter/test/http/form/NoSessionForUnsecuredTest.java diff --git a/HISTORY b/HISTORY index e830ee1..e2dd73d 100644 --- a/HISTORY +++ b/HISTORY @@ -1,6 +1,6 @@ -$Id: HISTORY,v 1.29 2005/02/22 11:01:59 maxcooper Exp $ -$Revision: 1.29 $ -$Date: 2005/02/22 11:01:59 $ +$Id: HISTORY,v 1.30 2006/02/14 09:28:28 maxcooper Exp $ +$Revision: 1.30 $ +$Date: 2006/02/14 09:28:28 $ Security Filter v@PROJECT.VERSION@ @@ -23,6 +23,10 @@ http://sourceforge.net/tracker/index.php?func=detail&aid=1143612&group_id=59484& value first, which follows the JUnit example. Also changed some calls to JUnit assert... methods to put the expected value first. +* Fixed issue where SecurityFilter was creating a uneccessarily session for unsecured pages, +including the addition of an automated test: +http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 + Release 2.0, 2004-Dec-13 ======================== diff --git a/src/share/org/securityfilter/filter/SecurityFilter.java b/src/share/org/securityfilter/filter/SecurityFilter.java index 5eb9872..dbb5e4f 100644 --- a/src/share/org/securityfilter/filter/SecurityFilter.java +++ b/src/share/org/securityfilter/filter/SecurityFilter.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.23 2004/01/26 09:19:10 maxcooper Exp $ - * $Revision: 1.23 $ - * $Date: 2004/01/26 09:19:10 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.24 2006/02/14 09:28:27 maxcooper Exp $ + * $Revision: 1.24 $ + * $Date: 2006/02/14 09:28:27 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -72,7 +72,7 @@ import java.util.*; * @author Max Cooper (max@maxcooper.com) * @author Daya Sharma (iamdaya@yahoo.com, billydaya@sbcglobal.net) * @author Torgeir Veimo (torgeir@pobox.com) - * @version $Revision: 1.23 $ $Date: 2004/01/26 09:19:10 $ + * @version $Revision: 1.24 $ $Date: 2006/02/14 09:28:27 $ */ public class SecurityFilter implements Filter { public static final String CONFIG_FILE_KEY = "config"; @@ -283,7 +283,10 @@ public class SecurityFilter implements Filter { * SavedRequest object is returned. */ protected SavedRequest getSavedRequest(HttpServletRequest request) { - HttpSession session = request.getSession(); + HttpSession session = request.getSession(false); + if (session == null) { + return null; + } String savedURL = (String) session.getAttribute(SecurityFilter.SAVED_REQUEST_URL); if (savedURL != null && savedURL.equals(getSaveableURL(request))) { // this is a request for the request that caused the login, @@ -311,7 +314,11 @@ public class SecurityFilter implements Filter { * @param request the current request */ public static String getContinueToURL(HttpServletRequest request) { - return (String) request.getSession().getAttribute(SAVED_REQUEST_URL); + HttpSession currentSession = request.getSession(false); + if (currentSession == null) { + return null; + } + return (String) currentSession.getAttribute(SAVED_REQUEST_URL); } /** diff --git a/src/share/org/securityfilter/filter/SecurityRequestWrapper.java b/src/share/org/securityfilter/filter/SecurityRequestWrapper.java index 77077ef..cfb67c7 100644 --- a/src/share/org/securityfilter/filter/SecurityRequestWrapper.java +++ b/src/share/org/securityfilter/filter/SecurityRequestWrapper.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityRequestWrapper.java,v 1.9 2003/07/07 13:12:57 maxcooper Exp $ - * $Revision: 1.9 $ - * $Date: 2003/07/07 13:12:57 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityRequestWrapper.java,v 1.10 2006/02/14 09:28:27 maxcooper Exp $ + * $Revision: 1.10 $ + * $Date: 2006/02/14 09:28:27 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -69,7 +69,7 @@ import java.util.*; * @author Max Cooper (max@maxcooper.com) * @author Daya Sharma (iamdaya@yahoo.com, billydaya@sbcglobal.net) * @author Torgeir Veimo (torgeir@pobox.com) - * @version $Revision: 1.9 $ $Date: 2003/07/07 13:12:57 $ + * @version $Revision: 1.10 $ $Date: 2006/02/14 09:28:27 $ */ public class SecurityRequestWrapper extends HttpServletRequestWrapper { public static final String PRINCIPAL_SESSION_KEY = SecurityRequestWrapper.class.getName() + ".PRINCIPAL"; @@ -205,7 +205,12 @@ public class SecurityRequestWrapper extends HttpServletRequestWrapper { * Get a Principal object for the current user. */ public Principal getUserPrincipal() { - return (Principal) currentRequest.getSession().getAttribute(PRINCIPAL_SESSION_KEY); + Principal principal = null; + HttpSession session = currentRequest.getSession(false); + if (session != null) { + principal = (Principal) session.getAttribute(PRINCIPAL_SESSION_KEY); + } + return principal; } /** diff --git a/src/test/org/securityfilter/test/http/form/NoSessionForUnsecuredTest.java b/src/test/org/securityfilter/test/http/form/NoSessionForUnsecuredTest.java new file mode 100644 index 0000000..91028c8 --- /dev/null +++ b/src/test/org/securityfilter/test/http/form/NoSessionForUnsecuredTest.java @@ -0,0 +1,96 @@ +/* + * $Header$ + * $Revision$ + * $Date$ + * + * ==================================================================== + * The SecurityFilter Software License, Version 1.1 + * + * (this license is derived and fully compatible with the Apache Software + * License - see http://www.apache.org/LICENSE.txt) + * + * Copyright (c) 2002 SecurityFilter.org. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by + * SecurityFilter.org (http://www.securityfilter.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The name "SecurityFilter" must not be used to endorse or promote + * products derived from this software without prior written permission. + * For written permission, please contact license@securityfilter.org . + * + * 5. Products derived from this software may not be called "SecurityFilter", + * nor may "SecurityFilter" appear in their name, without prior written + * permission of SecurityFilter.org. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + */ + +package org.securityfilter.test.http.form; + +import org.securityfilter.test.http.TestBase; + +import com.meterware.httpunit.GetMethodWebRequest; +import com.meterware.httpunit.WebRequest; +import com.meterware.httpunit.WebResponse; + +/** + * NoSessionForUnsecuredTest - Ensure that SecurityFilter does not create a session when accessing unsecured pages. + * + * Bug report: + * http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 + * + * @author Max Cooper (max@maxcooper.com) + * @version $Revision$ $Date$ + */ +public class NoSessionForUnsecuredTest extends TestBase { + /** + * Constructor + * + * @param name + */ + public NoSessionForUnsecuredTest(String name) { + super(name); + } + + /** + * Test for session cookie on index page. There should be no session cookie. + * + * @throws Exception + */ + public void testNoSessionForUnsecured() throws Exception { + + WebRequest request = new GetMethodWebRequest(baseUrl + "/index.jsp"); + WebResponse response = session.getResponse(request); + + String[] cookieNames = response.getNewCookieNames(); + assertEquals("Number of cookies should be 0.", 0, cookieNames.length); + } +} diff --git a/web/share/index.jsp b/web/share/index.jsp index 6f6b952..d33ab9a 100644 --- a/web/share/index.jsp +++ b/web/share/index.jsp @@ -1,3 +1,4 @@ +<%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> -- 2.11.0