InternalSession.java revision f76ade6eebb2977c1ff6782b38b01749e45af920
2644N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 2644N/A * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved 2644N/A * The contents of this file are subject to the terms 2644N/A * of the Common Development and Distribution License 2644N/A * (the License). You may not use this file except in 2644N/A * compliance with the License. 2644N/A * You can obtain a copy of the License at 2644N/A * See the License for the specific language governing 2644N/A * permission and limitations under the License. 2644N/A * When distributing Covered Code, include this CDDL 2644N/A * Header Notice in each file and include the License file 2644N/A * If applicable, add the following below the CDDL Header, 2644N/A * with the fields enclosed by brackets [] replaced by 2644N/A * your own identifying information: 2644N/A * "Portions Copyrighted [year] [name of copyright owner]" 2644N/A * Portions Copyrighted 2011-2016 ForgeRock AS. 2644N/A * The <code>InternalSession</code> class represents a Webtop internal session. 2644N/A * A session has four states: invalid, valid, inactive, and destroyed. The initial state of a session is invalid. * Support objects (do not serialize) /* Maximum frequency with which the access time in the repository will be updated. */ /* default idle time for invalid sessions */ * The URL map for session events of THIS session only : SESSION_CREATION, IDLE_TIMEOUT, MAX_TIMEOUT, LOGOUT, * REACTIVATION, DESTROY. Each URL in the map is associated with a set of token ids (master and potentially all of * the restricted token ids associated with the master) that will be used in notification /* Session handle is used to prevent administrator from impersonating other users. */ * Creates an instance of the Internal Session with its key dependencies exposed. * Note: This InternalSession will be in an invalid state. * @param sid Non null Session ID. * @param service Non null SessionService. * @param debug Debugging instance to use for all logging. * Creates a new InternalSession with the given Session ID. * Note: This InternalSession will be in an invalid state. * @param sid SessionID Non null Session ID. * Default constructor required for deserialisation, and should not be used elsewhere. * This constructor is intentionally blank, except for setting isISStored to true (if the InternalSession is being * deserialised, it is being loaded from storage). * When deserialised the code responsible for instantiating it will have no means of resolving dependencies. * Instead this is deferred to * {@link com.iplanet.dpro.session.service.InternalSession#setSessionServiceDependencies( * SessionService, SessionServiceConfig, SessionLogging, SessionAuditor, com.sun.identity.shared.debug.Debug)} * The debug instance is not restored during deserialisation. * @param debug Non null debug instance. * The SessionService is not restored during deserialisation. * @param service Non null SessionService. * Returns the SessionID of this Internal Session. * @return SessionID for the internal session object * Returns the type of Internal Session. * @return <code>USER</code> or <code>APPLICATION</code>. * Set the type of Internal Session. User OR Application. * @param type <code>USER</code> or <code>APPLICATION</code>. * Returns Client ID, accessing this Internal Session. * Sets Client ID for this Internal Session. * Returns the Domain of the Client * Sets the Clieant's Domain. * Returns maximum time allowed for the Internal Session. * @return the number of maximum minutes for the session * Sets the maximum time (in minutes) allowed for the Internal Session * @param maxSessionTimeInMinutes * Returns the maximum idle time(in minutes) for the Internal Session. * @return the number maximum idle minutes * Sets the maximum idle time (in minutes) for the Internal Session. * @param maxIdleTimeInMinutes * Returns the maximum caching time(in minutes) allowed for the Internal * @return Maximum Cache Time * Sets the maximum caching time(in minutes) for the Internal Session. * Returns the time(in seconds) for which the Internal Session has not been * @return session idle time * Returns the total time left(in seconds) for the Internal Session. Returns 0 if the time left is negative. * @return Time left for the internal session to be invalid * Returns true if the session has timed out due to idle/max timeout period. * @return <code>true</code> if the Internal session has timedout , * <code>false</code> otherwise * Cache the cookie string. No guarantees are made as to its continued persistence. * @param cookieString The cookie string to persist. * Returns the cached cookie string for this InternalSession. May be null. * @return The cached cookie string. May be null. * Return the SessionID object which represents this InternalSession. * @return The session ID. * Returns the state of the Internal Session * @return the session state can be VALID, INVALID, INACTIVE or DESTROYED * Get the authentication context associated with this session. * @return the AuthContextLocal associated with this session * Gets whether this session has an associated authenticationContext. * @return true if this session has an authentication context. * Sets the authentication context. * @param authContext the authentication context * Clears the authentication context from this session. * Returns the value of the specified key from the Internal Session property * @return string value for the key from Internal Session table. * Returns the Enumeration of property names of the Internal Session * @return list of properties in the Internal session table. * Helper method to check if a property is protected or not. * We introduce a mechanism to protect certain "core" or "internal" * properties from updates via remote SetProperty method of the * SessionService. Allowing remote self-updates to session properties leads * to a security vulnerability which allows unconstrained user impersonation * or privilege elevation. See bug # 4814922 for more information * protectedProperties contains a set of property names which can not be * remotely updated. It is initially populated using static initializer. We * also implemented an extra safety mechanism intended to protect from * accidental reopening of this security hole in the future if a property * name changes or new property is introduced without corresponding update * of the static hardcoded list of protected properties below. This * mechanism automatically adds any property to protectedProperties if it is * set via local invocation of putProperty. * However, some properties (such as Locale and CharSet) must be settable * both locally and remotely. In order to make it configurable we use a * second table called remotelyUpdateableProperties. Note that * protectedProperties takes precedence over remotelyUpdateableProperties: * remotelyUpdateableProperties will be consulted only if a property is not * on the protectedProperties list already. * The following tables defines the behavior of putProperty() and * putExternalProperty() depending on whether property name is present in * protectedProperties or remotelyUpdateableProperty list * protectedProperties remotelyUpdateableProperties putProperty() * in n/a sets value logs, does nothing * out in sets value sets value * out out sets value and sets value adds to protectedProperty * @return true if property is protected else false. * Sets the key-value pair in the InternalSession property table if it is * not protected. If it is protected client should have permission to set * it. This method is to be used in conjuction with * protected, an attempt to remotely set a protected property is logged and * the method throws an Exception. Otherwise invocation is delegated to * Note that package default access is being used * Token of the client setting external property. * Property value for the key * @exception SessionException is thrown if the key is protected property. debug.
message(
"Updated protected property after validating client identity and permissions");
* Sets the key-value pair in the Internal Session property table. This * method should only be invoked locally by code running in the same server * VM. Remote invocations should use putExternalProperty(). This is a simple * wrapper around internalPutProperty(), which in addition calls to * registerProtectedProperty() to make sure that if a property key is not * already on the list of protected properties, it will be automatically * added there (unless it is also on remotelyUpdateableProperties list!) * Property value for the key * Sets the key-value pair in the Internal Session property table. * Property value for the key "InternalSession.internalputProperty():" +
"Unable to get HostName for:" +
value +
" SessionException: ",
uhe);
* Sets the status of the isSessionUpgrade flag to which determines if the * <code>Session</code> is in the upgrade state or not. * @param value <code>true</code> if it is an upgrade * <code>false</code> otherwise * Gets the status of the <code>Session</code> if is an upgrade state * @return <code>true</code> if the session is in upgrade state * <code>false</code> otherwise * Set whether this InternalSession is persisted. * @param isStored True if the session is persisted, false otherwise. * Returns whether the InternalSession represented has been stored. If this is true, changes to this object will * update the stored version. * return <code>true</code> if the internal session is stored * <code>false</code> otherwise * Changes the state of the session to ACTIVE after creation. * @return <code> true </code> if the session is successfully activated * after creation , <code>false</code> otherwise * Changes the state of the session to ACTIVE after creation. * @param stateless Indicates that the log in session is a stateless session. * @return <code> true </code> if the session is successfully activated * after creation , <code>false</code> otherwise // Exceeded max active sessions, but allow if the user is super-admin // checking Session Quota Constraints * The session quota checking will be bypassed if: * (1) the login user is the super user (not including users assigned the top level admin role), or * (2) the token is an application token (e.g. Agent) * Gets the User Universal ID * Sets the willExpireFlag. This flag specify that whether the session will * Checks the invalid session idle time. If this session is invalid and idle * for more than 3 minutes, we will need to remove it from the session table * @return <code>true</code> if the max default idle time expires * Checks whether the session should change state and returns the state that the session should be in. // do something special for the timed out sessions * Changes the state of the session and sends Session Notification when session times out. * Changes the state of the session. Does not notify SessionService, or anything else using Session Notification. * Transfers the info about the Internal Session to Session Info. // Sessions such as authentication session will never be destroyed //Adding the sessionHandle as a session property, so the sessionHandle is available in Session objects. * Sets the last time the client sent a request associated with this * session, as the number of seconds since midnight January 1, 1970 GMT. * Once updated the Session will be persisted. * Sets the {@link SessionState} of the Internal Session. * Returns the URL of the Session events and the associated master and * @return Map of session event URLs and their associated SessionIDs. * Adds a listener for the associated session ID. * @param url The listening URL. * @param sid The associated SessionID. * This setter method is used by the JSON serialization mechanism and should not be used for other purposes. * @param restrictedTokensBySid The deserialized map of sid<->restricted tokens that should be stored in a * This setter method is used by the JSON serialization mechanism and should not be used for other purposes. * @param sessionEventURLs The deserialized map of sessionEventURLs that should be stored in a ConcurrentHashMap. * Returns the value of willExpireFlag. * Determine whether it is an application session. * @return <code>true</code> if this is an application session, <code>false</code> otherwise. * Sets the creation time of the Internal Session, as the number of seconds * since midnight January 1, 1970 GMT. * Add new restricted token pointing at the same session to the list. * @param sid The session ID. * @param restriction The token restriction. * @return The existing session ID instance if this TokenRestriction was already mapped to a session ID, * <code>null</code> otherwise. * Returns the TokenRestriction for the given SessionID. * @param sid Possibly null SessionID. * @return Null indicates there is no restriction on the Session. * Returns true if cookies are supported. * @return true if cookie supported; * set the cookieMode based on whether the request has cookies or not. This * method is called from createSSOToken(request) method in SSOTokenManager. * Boolean value whether request has cookies or not. * Used during session deserialization. This method SHALL NOT be invoked by custom code. * @param sessionHandle The sessionHandle to set. //No need to update the session for failover, as this method is invoked only upon session * Returns the session handle. * @return The session handle. * Computes session object expiration time as the smallest of the remaining idle time (or purge delay if the * session has already timed out) or the session lifetime limit. * Time value is returned in the requested unit (accurate to millisecond) and uses the * same epoch as {@link System#currentTimeMillis()}. * @param timeUnit the time unit to return the result in. * @return the result in the given units. * Returns time at which session's lifetime expires. * Time value is returned in the requested unit (accurate to millisecond) and uses the * same epoch as {@link System#currentTimeMillis()}. * @see #getMaxSessionTime() * @param timeUnit the time unit to return the result in. * @return the result in the given units. * Returns time at which session's idle time expires. * Time value is returned in the requested unit (accurate to millisecond) and uses the * same epoch as {@link System#currentTimeMillis()}. * @param timeUnit the time unit to return the result in. * @return the result in the given units. * @return True if the Session has reached an invalid state. * Signals the Session for removal. // TODO: Don't make this method public * Sets the time at which this session timed out due to idle/max timeout. The time is in seconds since the same * epoch as {@link System#currentTimeMillis()}. A value of 0 indicates that the session has not timed out. * @param timedOutAt the time in seconds at which the session timed out. * Simple enumeration to report how the session is changing in state