org.opensubsystems.core.www
Class WebSessionServlet

java.lang.Object
  extended by javax.servlet.GenericServlet
      extended by javax.servlet.http.HttpServlet
          extended by org.opensubsystems.core.www.WebSessionServlet
All Implemented Interfaces:
java.io.Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig
Direct Known Subclasses:
WebUIServlet

public class WebSessionServlet
extends javax.servlet.http.HttpServlet

Base class for all servlets developed as part of this project. It's main responsibility is to provide session information if required therefore making sure that nobody who is not logged in (or otherwise authenticated) can proceed. This servlet intercepts all requests, makes sure that valid HTTP session is established and after credentials are verified, let the request proceed. Developers are adviced to derive all servlets from this servlet since this helps us to establish effective security policy at a single place.

Version:
$Id: WebSessionServlet.java,v 1.20 2007/02/20 04:10:43 bastafidli Exp $
Author:
Miro Halas
See Also:
Serialized Form
Code reviewer:
Miro Halas
Code reviewed:
1.13 2006/02/24 00:17:43 jlegeny

Field Summary
static java.lang.String APPLICATION_SECURE
          Configuration setting specifying if all pages of the application should be displayed in a secure mode using SSL protocol.
static java.lang.String ATTACH_INTERNAL_SESSION_ID_URL_PARAM
          Parameter which must be specified in URL if the user should be attached to this server after it was logged in at some other server.
static boolean DEFAULT_APPLICATION_SECURE
          Default value for APPLICATION_SECURE.
static boolean DEFAULT_LOGIN_SECURE
          Default value for LOGIN_SECURE.
static java.lang.String LOGIN_FORWARD_SESSION_PARAM
          Name of the HTTP session object storing path where to continue after login.
static java.lang.String LOGIN_SECURE
          Configuration setting specifying if the login page should be displayed in a secure mode using SSL protocol.
protected  javax.servlet.ServletContext m_scServletContext
          Servlets context.
protected  SessionValidator m_sessionValidator
          If not null, then this instance will be used to validate session for each request.
protected  java.lang.String m_strHandshakeURL
          URL of the hadnshake page in case handshake is requried.
protected static boolean s_bApplicationSecure
          Flag signaling if whole application will be using SSL.
protected static boolean s_bLoginSecure
          Flag signaling if login will be processed using SSL.
static java.lang.String SERVLET_PATH_REQUEST_PARAM
          Full URL how this servlet was invoked so that GUI can use it for callbacks.
static java.lang.String SESSION_VALIDATOR_CLASS
          Configuration setting specifying name of the class implementing SessionValidator interface to verify validity of a session each time a request is submitted to the server.
static java.lang.String WEBSESSION_DISPATCHER_CACHED
          Configuration setting specifying if the web tier should cache the request dispatchers used to dispatch client requests to various web resources.
static boolean WEBSESSION_DISPATCHER_CACHED_DEFAULT
          Default value for WEBSESSION_DISPATCHER_CACHED.
static boolean WEBSESSION_HADSHAKE_REQUIRED_DEFAULT
          Default value for WEBSESSION_HANDSHAKE_REQUIRED
static java.lang.String WEBSESSION_HANDSHAKE_REQUIRED
          Configuration setting specifying if the server must ensure that the client accepted the server session before it allows further communication.
static java.lang.String WEBSESSION_HANDSHAKE_URL
          Configuration setting specifying the URL of handshake page to which user will be redirected if handshake is required and session wasn't confirmed at the time when the request is submitted to the server.
static java.lang.String WEBSESSION_LOGIN_REQUIRED
          Configuration setting specifying if user has to be logged in in order to process his or her request sent to the server.
static boolean WEBSESSION_LOGIN_REQUIRED_DEFAULT
          Default value for WEBSESSION_LOGIN_REQUIRED
static java.lang.String WEBSESSION_LOGIN_URL
          Configuration setting specifying the URL of login page to which user will be redirected if login is required and user is not logged in at the time when request is submitted to the server.
 
Constructor Summary
WebSessionServlet()
           
 
Method Summary
 void destroy()
          
protected  java.lang.String getLoginRedirect(javax.servlet.http.HttpSession hsSession, javax.servlet.http.HttpServletRequest hsrqRequest)
          Get the URL to which user should be redirected after he is successfully logged into the system.
 java.lang.String getServletInfo()
          
protected  void handleNewSession(javax.servlet.http.HttpSession hsSession, javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          This function handles the scenarios, when the HTTP session generated for the client is still new and the client doesn't know about it yet.
 void init(javax.servlet.ServletConfig scConfig)
          
protected  boolean isApplicationSecure()
          Return true if application is running as secure (SSL)
protected  boolean isDispatcherCachingEnabled()
          Check if caching of request dispatchers is enabled.
protected  boolean isLoginSecure()
          Return true if login is running as secure (SSL)
protected  void preservice(javax.servlet.http.HttpSession hsSession, javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse, boolean bLoginVerified)
          This method gives derived servlets execute common logic which needs to be executed for each request.
protected  void redirect(java.lang.String strUrl, javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          Redirect client to another page propagating the internal session ID if any.
protected  void redirectToHandshake(javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          Redirect client to the handshake.
protected  void redirectToLogin(javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          Redirect client to the login page.
protected  void resetLoginRedirect(javax.servlet.http.HttpSession hsSession)
          Reset the URL to which user should be redirected after he is successfully logge to the system to uninitialized value.
protected  boolean saveLoginRedirect(javax.servlet.http.HttpSession hsSession, java.lang.String strFullRedirectURL)
          Save the URL to which user should be redirected after he is successfully logged in to the system.
protected  void service(javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          Main service routine for the Servlet.
protected  boolean shouldRequestBeSecure()
          Return flag if request should be secure.
protected  java.security.Principal verifyLogin(javax.servlet.http.HttpSession hsSession, javax.servlet.http.HttpServletRequest hsrqRequest, javax.servlet.http.HttpServletResponse hsrpResponse)
          Verify, if user has already logged into this session.
 
Methods inherited from class javax.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPost, doPut, doTrace, getLastModified, service
 
Methods inherited from class javax.servlet.GenericServlet
getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletName, init, log, log
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

WEBSESSION_DISPATCHER_CACHED

public static final java.lang.String WEBSESSION_DISPATCHER_CACHED
Configuration setting specifying if the web tier should cache the request dispatchers used to dispatch client requests to various web resources. Caching of the request dispatchers can improve performance, but not all web containers allows to do it. Jetty allows this, some version of Weblogic don't.

See Also:
WEBSESSION_DISPATCHER_CACHED_DEFAULT, Constant Field Values

WEBSESSION_HANDSHAKE_REQUIRED

public static final java.lang.String WEBSESSION_HANDSHAKE_REQUIRED
Configuration setting specifying if the server must ensure that the client accepted the server session before it allows further communication. This improves the login process if one is needed since at the time of login the server already knows that the client supports and accepted its session tracking.

See Also:
WEBSESSION_HADSHAKE_REQUIRED_DEFAULT, Constant Field Values

WEBSESSION_HANDSHAKE_URL

public static final java.lang.String WEBSESSION_HANDSHAKE_URL
Configuration setting specifying the URL of handshake page to which user will be redirected if handshake is required and session wasn't confirmed at the time when the request is submitted to the server.

See Also:
Constant Field Values

WEBSESSION_LOGIN_REQUIRED

public static final java.lang.String WEBSESSION_LOGIN_REQUIRED
Configuration setting specifying if user has to be logged in in order to process his or her request sent to the server.

See Also:
WEBSESSION_LOGIN_REQUIRED_DEFAULT, Constant Field Values

WEBSESSION_LOGIN_URL

public static final java.lang.String WEBSESSION_LOGIN_URL
Configuration setting specifying the URL of login page to which user will be redirected if login is required and user is not logged in at the time when request is submitted to the server.

See Also:
Constant Field Values

SESSION_VALIDATOR_CLASS

public static final java.lang.String SESSION_VALIDATOR_CLASS
Configuration setting specifying name of the class implementing SessionValidator interface to verify validity of a session each time a request is submitted to the server.

See Also:
Constant Field Values

LOGIN_SECURE

public static final java.lang.String LOGIN_SECURE
Configuration setting specifying if the login page should be displayed in a secure mode using SSL protocol.

See Also:
s_bLoginSecure, DEFAULT_LOGIN_SECURE, Constant Field Values

APPLICATION_SECURE

public static final java.lang.String APPLICATION_SECURE
Configuration setting specifying if all pages of the application should be displayed in a secure mode using SSL protocol.

See Also:
s_bApplicationSecure, DEFAULT_APPLICATION_SECURE, Constant Field Values

WEBSESSION_DISPATCHER_CACHED_DEFAULT

public static final boolean WEBSESSION_DISPATCHER_CACHED_DEFAULT
Default value for WEBSESSION_DISPATCHER_CACHED. By default don't cache them since this will work on any servlet engine.

See Also:
WEBSESSION_DISPATCHER_CACHED, Constant Field Values

WEBSESSION_HADSHAKE_REQUIRED_DEFAULT

public static final boolean WEBSESSION_HADSHAKE_REQUIRED_DEFAULT
Default value for WEBSESSION_HANDSHAKE_REQUIRED

See Also:
WEBSESSION_HANDSHAKE_REQUIRED, Constant Field Values

WEBSESSION_LOGIN_REQUIRED_DEFAULT

public static final boolean WEBSESSION_LOGIN_REQUIRED_DEFAULT
Default value for WEBSESSION_LOGIN_REQUIRED

See Also:
WEBSESSION_LOGIN_REQUIRED, Constant Field Values

LOGIN_FORWARD_SESSION_PARAM

public static final java.lang.String LOGIN_FORWARD_SESSION_PARAM
Name of the HTTP session object storing path where to continue after login.

See Also:
Constant Field Values

SERVLET_PATH_REQUEST_PARAM

public static final java.lang.String SERVLET_PATH_REQUEST_PARAM
Full URL how this servlet was invoked so that GUI can use it for callbacks.

See Also:
Constant Field Values

ATTACH_INTERNAL_SESSION_ID_URL_PARAM

public static final java.lang.String ATTACH_INTERNAL_SESSION_ID_URL_PARAM
Parameter which must be specified in URL if the user should be attached to this server after it was logged in at some other server.

See Also:
Constant Field Values

DEFAULT_LOGIN_SECURE

public static final boolean DEFAULT_LOGIN_SECURE
Default value for LOGIN_SECURE.

See Also:
s_bLoginSecure, LOGIN_SECURE, Constant Field Values

DEFAULT_APPLICATION_SECURE

public static final boolean DEFAULT_APPLICATION_SECURE
Default value for APPLICATION_SECURE.

See Also:
s_bApplicationSecure, APPLICATION_SECURE, Constant Field Values

m_strHandshakeURL

protected java.lang.String m_strHandshakeURL
URL of the hadnshake page in case handshake is requried.


m_scServletContext

protected javax.servlet.ServletContext m_scServletContext
Servlets context.


m_sessionValidator

protected SessionValidator m_sessionValidator
If not null, then this instance will be used to validate session for each request.


s_bLoginSecure

protected static boolean s_bLoginSecure
Flag signaling if login will be processed using SSL.

See Also:
LOGIN_SECURE, DEFAULT_LOGIN_SECURE

s_bApplicationSecure

protected static boolean s_bApplicationSecure
Flag signaling if whole application will be using SSL.

See Also:
APPLICATION_SECURE, DEFAULT_APPLICATION_SECURE
Constructor Detail

WebSessionServlet

public WebSessionServlet()
Method Detail

init

public void init(javax.servlet.ServletConfig scConfig)
          throws javax.servlet.ServletException

Specified by:
init in interface javax.servlet.Servlet
Overrides:
init in class javax.servlet.GenericServlet
Throws:
javax.servlet.ServletException

destroy

public void destroy()

Specified by:
destroy in interface javax.servlet.Servlet
Overrides:
destroy in class javax.servlet.GenericServlet

service

protected final void service(javax.servlet.http.HttpServletRequest hsrqRequest,
                             javax.servlet.http.HttpServletResponse hsrpResponse)
                      throws javax.servlet.ServletException,
                             java.io.IOException
Main service routine for the Servlet. Subclasses can't override this method to make sure that the if-modified logic is handled correctly (when they override getLastModified method). Only the doXXX method should be overriden. This servlet also makes sure (if configured that way), that nobody who is not logged in can proceed.

Overrides:
service in class javax.servlet.http.HttpServlet
Parameters:
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Throws:
javax.servlet.ServletException - - an error has occured while serving request
java.io.IOException - - an error has occured while writing response

getServletInfo

public java.lang.String getServletInfo()

Specified by:
getServletInfo in interface javax.servlet.Servlet
Overrides:
getServletInfo in class javax.servlet.GenericServlet

isDispatcherCachingEnabled

protected boolean isDispatcherCachingEnabled()
Check if caching of request dispatchers is enabled. Jetty allows that, Weblogic doesn't.

Returns:
boolean

handleNewSession

protected void handleNewSession(javax.servlet.http.HttpSession hsSession,
                                javax.servlet.http.HttpServletRequest hsrqRequest,
                                javax.servlet.http.HttpServletResponse hsrpResponse)
                         throws javax.servlet.ServletException,
                                java.io.IOException
This function handles the scenarios, when the HTTP session generated for the client is still new and the client doesn't know about it yet. By default it just redirect to the handshake page. This method is called only when session handshake is required usually specified by configuration property.

Parameters:
hsSession - - HTTP session object
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Throws:
javax.servlet.ServletException - - problem has occured while processing request
java.io.IOException - - problem has occured while processing request
See Also:
WEBSESSION_HANDSHAKE_REQUIRED

verifyLogin

protected java.security.Principal verifyLogin(javax.servlet.http.HttpSession hsSession,
                                              javax.servlet.http.HttpServletRequest hsrqRequest,
                                              javax.servlet.http.HttpServletResponse hsrpResponse)
                                       throws javax.servlet.ServletException,
                                              java.io.IOException
Verify, if user has already logged into this session.

Parameters:
hsSession - - HTTP session object
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Returns:
Principal - object representing user's credentials or null, if user is not logged in yet
Throws:
javax.servlet.ServletException - - problem has occured while processing request
java.io.IOException - - problem has occured while processing request

getLoginRedirect

protected java.lang.String getLoginRedirect(javax.servlet.http.HttpSession hsSession,
                                            javax.servlet.http.HttpServletRequest hsrqRequest)
Get the URL to which user should be redirected after he is successfully logged into the system.

Parameters:
hsSession - - HTTP session object
hsrqRequest - - the servlet request
Returns:
String - URL to redirect user after login, null if none exists

saveLoginRedirect

protected boolean saveLoginRedirect(javax.servlet.http.HttpSession hsSession,
                                    java.lang.String strFullRedirectURL)
Save the URL to which user should be redirected after he is successfully logged in to the system. If there already exist redirection URL and user has not been redirected there yet, this request will be ignored

Parameters:
hsSession - - HTTP session object
strFullRedirectURL - - URL to redirect user after login
Returns:
boolean - true if URL was set, false if it was ignored

resetLoginRedirect

protected void resetLoginRedirect(javax.servlet.http.HttpSession hsSession)
Reset the URL to which user should be redirected after he is successfully logge to the system to uninitialized value.

Parameters:
hsSession - - HTTP session object

redirectToLogin

protected void redirectToLogin(javax.servlet.http.HttpServletRequest hsrqRequest,
                               javax.servlet.http.HttpServletResponse hsrpResponse)
                        throws javax.servlet.ServletException,
                               java.io.IOException
Redirect client to the login page. This function call has to be the last thing done in response to client's request.

Parameters:
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Throws:
javax.servlet.ServletException - - problems redirecting to login
java.io.IOException - - problems redirecting to login

redirectToHandshake

protected void redirectToHandshake(javax.servlet.http.HttpServletRequest hsrqRequest,
                                   javax.servlet.http.HttpServletResponse hsrpResponse)
                            throws javax.servlet.ServletException,
                                   java.io.IOException
Redirect client to the handshake. This function call has to be the last thing done in response to client's request.

Parameters:
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Throws:
javax.servlet.ServletException - - problems redirecting to login
java.io.IOException - - problems redirecting to login

redirect

protected void redirect(java.lang.String strUrl,
                        javax.servlet.http.HttpServletRequest hsrqRequest,
                        javax.servlet.http.HttpServletResponse hsrpResponse)
                 throws javax.servlet.ServletException,
                        java.io.IOException
Redirect client to another page propagating the internal session ID if any. This function call has to be the last thing done in response to client's request.

Parameters:
strUrl - - part of the URL used for constructing final URL
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
Throws:
javax.servlet.ServletException - - problems redirecting to login
java.io.IOException - - problems redirecting to login

preservice

protected void preservice(javax.servlet.http.HttpSession hsSession,
                          javax.servlet.http.HttpServletRequest hsrqRequest,
                          javax.servlet.http.HttpServletResponse hsrpResponse,
                          boolean bLoginVerified)
                   throws javax.servlet.ServletException,
                          java.io.IOException
This method gives derived servlets execute common logic which needs to be executed for each request. It is executed right before the service itself once handshake was established (if required), login was verified (if required) and identity of user if one is logged in was established. It can also be called if login is required and we are redirecting to the login page.

Parameters:
hsSession - - HTTP session object
hsrqRequest - - the servlet request.
hsrpResponse - - the servlet response.
bLoginVerified - - true if login was verified or it is not required, false if we are redirecting to the login page
Throws:
javax.servlet.ServletException - - problems redirecting to login
java.io.IOException - - problems redirecting to login

shouldRequestBeSecure

protected boolean shouldRequestBeSecure()
Return flag if request should be secure. This method returns application secure flag. Method should be overwtitten within LoginServlet and will return flag for login page.

Returns:
boolean - true = request should be secure - false = request should not be secure

isApplicationSecure

protected boolean isApplicationSecure()
Return true if application is running as secure (SSL)

Returns:
boolean - true = application is secure (using HTTPS) - false = application is not secure (using HTTP)

isLoginSecure

protected boolean isLoginSecure()
Return true if login is running as secure (SSL)

Returns:
boolean - true = login is secure (using HTTPS) - false = login is not secure (using HTTP)


Copyright © 2003 - 2006 OpenSubsystems s.r.o.