com.iplanet.dpro.session.service

Class InternalSession

java.lang.Object

com.iplanet.dpro.session.service.InternalSession

All Implemented Interfaces:

Serializable, AMSession, SessionPersistenceObservable

public class InternalSession
extends Object
implements Serializable, AMSession, SessionPersistenceObservable

The InternalSession class represents a Webtop internal session.

A session has four states: invalid, valid, inactive, and destroyed. The initial state of a session is invalid.

See Also:

SessionState, Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
Properties	sessionProperties

Constructor Summary

Constructors

Constructor and Description
InternalSession() Default constructor required for deserialisation, and should not be used elsewhere.
InternalSession(SessionID sid) Creates a new InternalSession with the given Session ID.

Method Summary

Modifier and Type	Method and Description
boolean	activate(String userDN) Changes the state of the session to ACTIVE after creation.
SessionID	addRestrictedToken(SessionID newRestrictedTokenId, TokenRestriction restriction) Add new restricted token pointing at the same session to the list.
void	addSessionEventURL(String url, SessionID sid) Adds a listener for the associated session ID.
void	cacheCookieString(String cookieString) Cache the cookie string.
void	clearAuthContext() Clears the authentication context from this session.
AuthContextLocal	getAuthContext() Get the authentication context associated with this session.
String	getCachedCookieString() Returns the cached cookie string for this InternalSession.
String	getClientDomain() Returns the Domain of the Client
String	getClientID() Returns Client ID, accessing this Internal Session.
boolean	getCookieSupport() Returns true if cookies are supported.
long	getExpirationTime(TimeUnit timeUnit) Computes session object expiration time as the smallest of the remaining idle time (or purge delay if the session has already timed out) or the session lifetime limit.
SessionID	getID() Returns the SessionID of this Internal Session.
long	getIdleTime() Returns the time(in seconds) for which the Internal Session has not been accessed.
boolean	getIsSessionUpgrade() Gets the status of the Session if is an upgrade state
long	getMaxCachingTime() Returns the maximum caching time(in minutes) allowed for the Internal Session.
long	getMaxIdleExpirationTime(TimeUnit timeUnit) Returns time at which session's idle time expires.
long	getMaxIdleTime() Returns the maximum idle time(in minutes) for the Internal Session.
long	getMaxSessionExpirationTime(TimeUnit timeUnit) Returns time at which session's lifetime expires.
long	getMaxSessionTime() Returns maximum time allowed for the Internal Session.
Object	getObject(String key) Returns the value of the specified key from the internal object map.
String	getProperty(String key) Returns the value of the specified key from the Internal Session property table.
Enumeration	getPropertyNames() Returns the Enumeration of property names of the Internal Session property table.
SessionID	getRestrictedTokenForRestriction(TokenRestriction restriction) Returns the SessionID of the restricted token for the provided restriction for this session.
Set<SessionID>	getRestrictedTokens() Returns the set (possibly empty) of restricted session IDs associated with this session.
TokenRestriction	getRestrictionForToken(SessionID sid) Returns the TokenRestriction for the given SessionID.
Map<String,Set<SessionID>>	getSessionEventURLs() Returns the URL of the Session events and the associated master and restricted token ids.
String	getSessionHandle() Returns the session handle.
SessionID	getSessionID() Return the SessionID object which represents this InternalSession.
SessionState	getState() Returns the state of the Internal Session
long	getTimeLeft() Returns the total time left(in seconds) for the Internal Session.
SessionType	getType() Returns the type of Internal Session.
String	getUUID() Gets the User Universal ID
boolean	hasAuthenticationContext() Gets whether this session has an associated authenticationContext.
boolean	isAppSession() Determine whether it is an application session.
boolean	isInvalid()
static boolean	isProtectedProperty(String key) Helper method to check if a property is protected or not.
boolean	isStored() Returns whether the InternalSession represented has been stored.
boolean	isTimedOut() Returns true if the session has timed out due to idle/max timeout period.
boolean	isUserSession() Determine whether it is a user session.
void	notifyPersistenceManager()
void	putExternalProperty(SSOToken clientToken, String key, String value) Sets the key-value pair in the InternalSession property table if it is not protected.
void	putProperty(String key, String value) Sets the key-value pair in the Internal Session property table.
void	removeObject(String key) Removes the mapping for this key from the internal object map if present.
void	setAuthContext(AuthContextLocal authContext) Sets the authentication context.
void	setClientDomain(String domain) Sets the Clieant's Domain.
void	setClientID(String id) Sets Client ID for this Internal Session.
void	setCookieMode(Boolean cookieMode) set the cookieMode based on whether the request has cookies or not.
void	setCreationTime() Sets the creation time of the Internal Session, as the number of seconds since midnight January 1, 1970 GMT.
void	setDebug(Debug debug) The debug instance is not restored during deserialisation.
void	setIsSessionUpgrade(boolean value) Sets the status of the isSessionUpgrade flag to which determines if the Session is in the upgrade state or not.
void	setLatestAccessTime() Sets the last time the client sent a request associated with this session, as the number of seconds since midnight January 1, 1970 GMT.
void	setMaxCachingTime(long t) Sets the maximum caching time(in minutes) for the Internal Session.
void	setMaxIdleTime(long maxIdleTimeInMinutes) Sets the maximum idle time (in minutes) for the Internal Session.
void	setMaxSessionTime(long maxSessionTimeInMinutes) Sets the maximum time (in minutes) allowed for the Internal Session
void	setNonExpiring() Sets the willExpireFlag.
void	setObject(String key, Object value) Sets the key-value pair in the internal object map.
void	setPersistenceManager(SessionPersistenceManager manager) Set the manager which handles persistence of this observable.
void	setSessionHandle(String sessionHandle) Used during session deserialization.
void	setSessionServiceDependencies(SessionService service, SessionServiceConfig serviceConfig, InternalSessionEventBroker internalSessionEventBroker, SessionUtilsWrapper sessionUtilsWrapper, SessionConstraint sessionConstraint, Debug debug) The SessionService is not restored during deserialisation.
void	setState(SessionState sessionState) Sets the SessionState of the Internal Session.
void	setTimedOutTime(long timeoutTime) Sets session timeout time (in millis).
void	setType(SessionType type) Set the type of Internal Session.
SessionInfo	toSessionInfo()
SessionInfo	toSessionInfo(boolean withIds) Transfers the info about the Internal Session to Session Info.
String	toString()
boolean	willExpire() Returns the value of willExpireFlag.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

sessionProperties

public Properties sessionProperties

Constructor Detail

InternalSession

public InternalSession(SessionID sid)

Creates a new InternalSession with the given Session ID. Note: This InternalSession will be in an invalid state.

Parameters:

sid - SessionID Non null Session ID.

InternalSession

public InternalSession()

Default constructor required for deserialisation, and should not be used elsewhere. When deserialised the code responsible for instantiating it will have no means of resolving dependencies. Instead this is deferred to setSessionServiceDependencies(SessionService, SessionServiceConfig, InternalSessionEventBroker, SessionUtilsWrapper, SessionConstraint, Debug)

Method Detail

toString

public String toString()

Overrides:

toString in class Object

setDebug

public void setDebug(Debug debug)

The debug instance is not restored during deserialisation.

Parameters:

debug - Non null debug instance.

setSessionServiceDependencies

public void setSessionServiceDependencies(SessionService service,
                                          SessionServiceConfig serviceConfig,
                                          InternalSessionEventBroker internalSessionEventBroker,
                                          SessionUtilsWrapper sessionUtilsWrapper,
                                          SessionConstraint sessionConstraint,
                                          Debug debug)

The SessionService is not restored during deserialisation.

Parameters:

service - Non null SessionService.

getID

public SessionID getID()

Returns the SessionID of this Internal Session.

Specified by:

getID in interface AMSession

Returns:

SessionID for the internal session object

getType

public SessionType getType()

Returns the type of Internal Session.

Returns:

USER or APPLICATION.

setType

public void setType(SessionType type)

Set the type of Internal Session. User OR Application.

Parameters:

type - USER or APPLICATION.

getClientID

public String getClientID()

Returns Client ID, accessing this Internal Session.

Returns:

Client ID.

setClientID

public void setClientID(String id)

Sets Client ID for this Internal Session.

Parameters:

id -

getClientDomain

public String getClientDomain()

Returns the Domain of the Client

Returns:

Client Domain

setClientDomain

public void setClientDomain(String domain)

Sets the Clieant's Domain.

Parameters:

domain - Client Domain

getMaxSessionTime

public long getMaxSessionTime()

Returns maximum time allowed for the Internal Session.

Returns:

the number of maximum minutes for the session

setMaxSessionTime

public void setMaxSessionTime(long maxSessionTimeInMinutes)

Sets the maximum time (in minutes) allowed for the Internal Session

Parameters:

maxSessionTimeInMinutes - Maximum Session Time

getMaxIdleTime

public long getMaxIdleTime()

Returns the maximum idle time(in minutes) for the Internal Session.

Returns:

the number maximum idle minutes

setMaxIdleTime

public void setMaxIdleTime(long maxIdleTimeInMinutes)

Sets the maximum idle time (in minutes) for the Internal Session.

Parameters:

maxIdleTimeInMinutes -

getMaxCachingTime

public long getMaxCachingTime()

Returns the maximum caching time(in minutes) allowed for the Internal Session.

Returns:

Maximum Cache Time

setMaxCachingTime

public void setMaxCachingTime(long t)

Sets the maximum caching time(in minutes) for the Internal Session.

Parameters:

t - Maximum Caching Time

getIdleTime

public long getIdleTime()

Returns the time(in seconds) for which the Internal Session has not been accessed.

Returns:

session idle time

getTimeLeft

public long getTimeLeft()

Returns the total time left(in seconds) for the Internal Session. Returns 0 if the time left is negative.

Returns:

Time left for the internal session to be invalid

isTimedOut

public boolean isTimedOut()

Returns true if the session has timed out due to idle/max timeout period.

Returns:

true if the Internal session has timedout , false otherwise

cacheCookieString

public void cacheCookieString(String cookieString)

Cache the cookie string. No guarantees are made as to its continued persistence.

Parameters:

cookieString - The cookie string to persist.

getCachedCookieString

public String getCachedCookieString()

Returns the cached cookie string for this InternalSession. May be null.

Returns:

The cached cookie string. May be null.

getSessionID

public SessionID getSessionID()

Return the SessionID object which represents this InternalSession.

Returns:

The session ID.

getState

public SessionState getState()

Returns the state of the Internal Session

Returns:

the session state can be VALID, INVALID, INACTIVE or DESTROYED

getAuthContext

public AuthContextLocal getAuthContext()

Get the authentication context associated with this session.

Returns:

the AuthContextLocal associated with this session

hasAuthenticationContext

public boolean hasAuthenticationContext()

Gets whether this session has an associated authenticationContext.

Returns:

true if this session has an authentication context.

setAuthContext

public void setAuthContext(AuthContextLocal authContext)

Sets the authentication context.

Parameters:

authContext - the authentication context

clearAuthContext

public void clearAuthContext()

Clears the authentication context from this session.

getProperty

public String getProperty(String key)

Returns the value of the specified key from the Internal Session property table.

Parameters:

key - Property key

Returns:

string value for the key from Internal Session table.

getPropertyNames

public Enumeration getPropertyNames()

Returns the Enumeration of property names of the Internal Session property table.

Returns:

list of properties in the Internal session table.

isProtectedProperty

public static boolean isProtectedProperty(String key)

Helper method to check if a property is protected or not. We introduce a mechanism to protect certain "core" or "internal" properties from updates via remote SetProperty method of the SessionService. Allowing remote self-updates to session properties leads to a security vulnerability which allows unconstrained user impersonation or privilege elevation. See bug # 4814922 for more information protectedProperties contains a set of property names which can not be remotely updated. It is initially populated using static initializer. We also implemented an extra safety mechanism intended to protect from accidental reopening of this security hole in the future if a property name changes or new property is introduced without corresponding update of the static hardcoded list of protected properties below. This mechanism automatically adds any property to protectedProperties if it is set via local invocation of putProperty. However, some properties (such as Locale and CharSet) must be settable both locally and remotely. In order to make it configurable we use a second table called remotelyUpdateableProperties. Note that protectedProperties takes precedence over remotelyUpdateableProperties: remotelyUpdateableProperties will be consulted only if a property is not on the protectedProperties list already. The following tables defines the behavior of putProperty() and putExternalProperty() depending on whether property name is present in protectedProperties or remotelyUpdateableProperty list protectedProperties remotelyUpdateableProperties putProperty() putExternalProperty() in n/a sets value logs, does nothing out in sets value sets value out out sets value and sets value adds to protectedProperty

Parameters:

key - property name.

Returns:

true if property is protected else false.

putExternalProperty

public void putExternalProperty(SSOToken clientToken,
                                String key,
                                String value)
                         throws SessionException

Sets the key-value pair in the InternalSession property table if it is not protected. If it is protected client should have permission to set it. This method is to be used in conjuction with SessionRequestHandler/SessionService invocation path If the property is protected, an attempt to remotely set a protected property is logged and the method throws an Exception. Otherwise invocation is delegated to internalPutProperty() Note that package default access is being used

Parameters:

clientToken - Token of the client setting external property.

key - Property key

value - Property value for the key

Throws:

SessionException - is thrown if the key is protected property.

putProperty

public void putProperty(String key,
                        String value)

Sets the key-value pair in the Internal Session property table. This method should only be invoked locally by code running in the same server VM. Remote invocations should use putExternalProperty(). This is a simple wrapper around internalPutProperty(), which in addition calls to registerProtectedProperty() to make sure that if a property key is not already on the list of protected properties, it will be automatically added there (unless it is also on remotelyUpdateableProperties list!)

Parameters:

key - Property key

value - Property value for the key

setIsSessionUpgrade

public void setIsSessionUpgrade(boolean value)

Sets the status of the isSessionUpgrade flag to which determines if the Session is in the upgrade state or not.

Parameters:

value - true if it is an upgrade false otherwise

getIsSessionUpgrade

public boolean getIsSessionUpgrade()

Gets the status of the Session if is an upgrade state

Returns:

true if the session is in upgrade state false otherwise

isStored

public boolean isStored()

Returns whether the InternalSession represented has been stored. If this is true, changes to this object will update the stored version. return true if the internal session is stored false otherwise

activate

public boolean activate(String userDN)

Changes the state of the session to ACTIVE after creation.

Parameters:

userDN -

Returns:

true if the session is successfully activated after creation , false otherwise

getUUID

public String getUUID()

Gets the User Universal ID

Returns:

UUID

setNonExpiring

public void setNonExpiring()

Sets the willExpireFlag. This flag specify that whether the session will ever expire or not.

setTimedOutTime

public void setTimedOutTime(long timeoutTime)

Sets session timeout time (in millis).

Parameters:

timeoutTime - The timeout time (in millis).

toSessionInfo

public SessionInfo toSessionInfo()

toSessionInfo

public SessionInfo toSessionInfo(boolean withIds)

Transfers the info about the Internal Session to Session Info.

Returns:

SessionInfo

setLatestAccessTime

public void setLatestAccessTime()

Sets the last time the client sent a request associated with this session, as the number of seconds since midnight January 1, 1970 GMT. Once updated the Session will be persisted.

setState

public void setState(SessionState sessionState)

Sets the SessionState of the Internal Session.

Parameters:

sessionState -

getSessionEventURLs

public Map<String,Set<SessionID>> getSessionEventURLs()

Returns the URL of the Session events and the associated master and restricted token ids.

Returns:

Map of session event URLs and their associated SessionIDs.

addSessionEventURL

public void addSessionEventURL(String url,
                               SessionID sid)

Adds a listener for the associated session ID.

Parameters:

url - The listening URL.

sid - The associated SessionID.

willExpire

public boolean willExpire()

Returns the value of willExpireFlag.

isAppSession

public boolean isAppSession()

Determine whether it is an application session.

Returns:

true if this is an application session, false otherwise.

isUserSession

public boolean isUserSession()

Determine whether it is a user session.

Returns:

true if this is a user session, false otherwise.

setCreationTime

public void setCreationTime()

Sets the creation time of the Internal Session, as the number of seconds since midnight January 1, 1970 GMT.

addRestrictedToken

public SessionID addRestrictedToken(SessionID newRestrictedTokenId,
                                    TokenRestriction restriction)

Add new restricted token pointing at the same session to the list.

Parameters:

newRestrictedTokenId - The session ID.

restriction - The token restriction.

Returns:

The restricted token id for this TokenRestriction.

getRestrictionForToken

public TokenRestriction getRestrictionForToken(SessionID sid)

Returns the TokenRestriction for the given SessionID.

Parameters:

sid - Possibly null SessionID.

Returns:

Null indicates there is no restriction on the Session.

getRestrictedTokenForRestriction

public SessionID getRestrictedTokenForRestriction(TokenRestriction restriction)

Returns the SessionID of the restricted token for the provided restriction for this session.

Parameters:

restriction - restriction used to look up restricted token.

Returns:

restricted token sessionID.

getRestrictedTokens

public Set<SessionID> getRestrictedTokens()

Returns the set (possibly empty) of restricted session IDs associated with this session. A restricted session ID can only be used when the associated TokenRestriction is satisfied. Typically this ties a particular user session to only be used via a particular agent or from a particular IP address.

The result is a copy of the current restricted token set: modifications to it will not change the set of restricted tokens associated with the session.

Returns:

the set of restricted tokens associated with this session. Never null but can be empty.

getCookieSupport

public boolean getCookieSupport()

Returns true if cookies are supported.

Returns:

true if cookie supported;

setCookieMode

public void setCookieMode(Boolean cookieMode)

set the cookieMode based on whether the request has cookies or not. This method is called from createSSOToken(request) method in SSOTokenManager.

Parameters:

cookieMode - , Boolean value whether request has cookies or not.

setSessionHandle

public void setSessionHandle(String sessionHandle)

Used during session deserialization. This method SHALL NOT be invoked by custom code.

Parameters:

sessionHandle - The sessionHandle to set.

getSessionHandle

public String getSessionHandle()

Returns the session handle.

Returns:

The session handle.

getExpirationTime

public long getExpirationTime(TimeUnit timeUnit)

Computes session object expiration time as the smallest of the remaining idle time (or purge delay if the session has already timed out) or the session lifetime limit.

Time value is returned in the requested unit (accurate to millisecond) and uses the same epoch as System.currentTimeMillis().

Parameters:

timeUnit - the time unit to return the result in.

Returns:

the result in the given units.

getMaxSessionExpirationTime

public long getMaxSessionExpirationTime(TimeUnit timeUnit)

Returns time at which session's lifetime expires.

Time value is returned in the requested unit (accurate to millisecond) and uses the same epoch as System.currentTimeMillis().

Parameters:

timeUnit - the time unit to return the result in.

Returns:

the result in the given units.

See Also:

getMaxSessionTime()

getMaxIdleExpirationTime

public long getMaxIdleExpirationTime(TimeUnit timeUnit)

Returns time at which session's idle time expires.

Time value is returned in the requested unit (accurate to millisecond) and uses the same epoch as System.currentTimeMillis().

Parameters:

timeUnit - the time unit to return the result in.

Returns:

the result in the given units.

See Also:

getMaxIdleTime()

isInvalid

public boolean isInvalid()

Returns:

True if the Session has reached an invalid state.

setPersistenceManager

public void setPersistenceManager(SessionPersistenceManager manager)

Description copied from interface: SessionPersistenceObservable

Set the manager which handles persistence of this observable.

Specified by:

setPersistenceManager in interface SessionPersistenceObservable

Parameters:

manager - The manager to add.

notifyPersistenceManager

public void notifyPersistenceManager()

getObject

public Object getObject(String key)

Returns the value of the specified key from the internal object map.

Parameters:

key - the key whose associated value is to be returned

Returns:

internal object

removeObject

public void removeObject(String key)

Removes the mapping for this key from the internal object map if present.

Parameters:

key - key whose mapping is to be removed from the map

setObject

public void setObject(String key,
                      Object value)

Sets the key-value pair in the internal object map.

Parameters:

key - with which the specified value is to be associated

value - to be associated with the specified key