-
Notifications
You must be signed in to change notification settings - Fork 32
/
CookieSessionRepository.groovy
336 lines (270 loc) · 11.4 KB
/
CookieSessionRepository.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
/*
* Copyright 2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Ben Lucchesi
* ben@granicus.com or benlucchesi@gmail.com
*/
package com.granicus.grails.plugins.cookiesession;
import org.springframework.beans.factory.InitializingBean
import java.io.ByteArrayOutputStream;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.Cookie;
import java.util.zip.GZIPOutputStream
import java.util.zip.GZIPInputStream
import javax.crypto.spec.SecretKeySpec
import javax.crypto.CipherInputStream
import javax.crypto.CipherOutputStream
import javax.crypto.SealedObject
import javax.crypto.Cipher
import org.codehaus.groovy.grails.commons.ConfigurationHolder as ch
import java.util.UUID
import groovy.util.logging.Log4j
@Log4j
class CookieSessionRepository implements SessionRepository, InitializingBean {
def grailsApplication
SecretKeySpec cryptoKey
String cookieName = "grails_session" // default cookie name
boolean encryptCookie = true
String cryptoAlgorithm = "Blowfish"
def cryptoSecret = null
long maxInactiveInterval = 60 * 60
int cookieCount = 8
int maxCookieSize = 2000
void afterPropertiesSet(){
log.trace "afterPropertiesSet()"
log.info "configuring CookieSessionRepository"
if( ch.config.grails.plugin.cookiesession.encryptcookie != null ){
encryptCookie = ch.config.grails.plugin.cookiesession.encryptcookie?true:false
log.info "grails.plugin.cookiesession.encryptcookie set: \'${encryptCookie}\'"
}
else{
encryptCookie = true
log.info "grails.plugin.cookiesession.encryptcookie not set. defaulting to \'${encryptCookie}\'"
}
if( ch.config.grails.plugin.cookiesession.cryptoalgorithm ){
cryptoAlgorithm = ch.config.grails.plugin.cookiesession.cryptoalgorithm.toString()
log.info "grails.plugin.cookiesession.cryptoalgorithm set: \'${cryptoAlgorithm}\'"
}
else{
cryptoAlgorithm = "Blowfish"
log.info "grails.plugin.cookiesession.cryptoalgorithm not set. defaulting to \'${cryptoAlgorithm}\'"
}
if( ch.config.grails.plugin.cookiesession.sessiontimeout ){
maxInactiveInterval = ch.config.grails.plugin.cookiesession.sessiontimeout * 1000
if( maxInactiveInterval < 0 ){
log.warn "config.grails.plugin.cookiesession.sessiontimeout needs to be greater than or equal to zero. defaulting to 0"
maxInactiveInterval = 0
}
log.info "grails.plugin.cookiesession.sessiontimeout set: ${maxInactiveInterval} ms."
}else{
maxInactiveInterval = 0
log.info "grails.plugin.cookiesession.sessiontimeout not set. defaulting to ${maxInactiveInterval} ms."
}
if( ch.config.grails.plugin.cookiesession.cookiename ){
cookieName = ch.config.grails.plugin.cookiesession.cookiename
log.info "grails.plugin.cookiesession.cookiename set: \'${cookieName}\'"
}else{
cookieName = "grails_session"
log.info "grails.plugin.cookiesession.cookiename not set. defaulting to \'${cookieName}\'"
}
if( ch.config.grails.plugin.cookiesession.secret ){
cryptoSecret = ch.config.grails.plugin.cookiesession.secret
log.info "grails.plugin.cookiesession.secret set: \'${cryptoSecret.collect{ 'x' }.join()}\'"
}else{
cryptoSecret = (0..4).collect{ UUID.randomUUID().toString() }.join()
log.info "grails.plugin.cookiesession.secret not set: defaulting to \'${cryptoSecret.collect{ 'x' }.join()}\'"
log.warn "Crypto secret is not configured for session repository. Sessions can only be decrypted for this instance of the application. to make session transportable between multiple instances of this application, set the grails.plugin.cookiesession.secret configuration explicitly."
}
if( ch.config.grails.plugin.cookiesession.cookiecount ){
cookieCount = ch.config.grails.plugin.cookiesession.cookiecount
log.info "grails.plugin.cookiesession.cookiecount set: ${cookieCount}"
}
else{
cookieCount = 3
log.info "grails.plugin.cookiesession.cookiecount not set. defaulting to ${cookieCount}"
}
if( ch.config.grails.plugin.cookiesession.maxcookiesize ){
maxCookieSize = ch.config.grails.plugin.cookiesession.maxcookiesize.toInteger()
if( maxCookieSize < 1024 && maxCookieSize > 4096 ){
maxCookieSize = 2048
log.info "grails.plugin.cookiesession.maxCookieSize must be between 1024 and 4096. defaulting to 2048"
}
else{
log.info "grails.plugin.cookiesession.maxCookieSize set: ${maxCookieSize}"
}
}
else{
maxCookieSize = 2048
log.info "grails.plugin.cookiesession.maxcookiesize no set. defaulting to ${maxCookieSize}"
}
if( maxCookieSize * cookieCount > 6114 ){
log.warn "the maxcookiesize and cookiecount settings will allow for a max session size of ${maxCookieSize*cookieCount} bytes. Make sure you increase the max http header size in order to support this configuration. see the help file for this plugin for instructions."
}
// initialize the crypto key
cryptoKey = new SecretKeySpec(cryptoSecret,cryptoAlgorithm.split('/')[0])
}
SerializableSession restoreSession( HttpServletRequest request ){
log.trace "restoreSession()"
SerializableSession session = null
// - get the data from the cookie
// - deserialize the session (handles compression and encryption)
// - check to see if the session is expired
// - return the session
def serializedSession = getDataFromCookie(request)
if( serializedSession ){
session = deserializeSession(serializedSession)
}
def currentTime = System.currentTimeMillis()
def lastAccessedTime = session?.lastAccessedTime?:0
long inactiveInterval = currentTime - lastAccessedTime
if( session && maxInactiveInterval == 0 ){
log.info "retrieved valid session from cookie. lastAccessedTime: ${new Date(lastAccessedTime)}"
session.isNewSession = false
session.lastAccessedTime = System.currentTimeMillis()
session.servletContext = request.servletContext
}
else if( session && inactiveInterval > maxInactiveInterval ){
log.info "retrieved expired session from cookie. lastAccessedTime: ${new Date(lastAccessedTime)}. expired by ${inactiveInterval} ms.";
session = null
}
else{
log.info "no session retrieved from cookie."
}
return session
}
void saveSession( SerializableSession session, HttpServletResponse response ){
log.trace "saveSession()"
String serializedSession = serializeSession(session)
putDataInCookie(response, serializedSession );
}
String serializeSession( SerializableSession session ){
log.trace "serializeSession()"
log.trace "serializing and compressing session"
ByteArrayOutputStream stream = new ByteArrayOutputStream()
new GZIPOutputStream(stream).withObjectOutputStream{ oos ->
oos.writeObject(session)
}
byte[] output = null
if( encryptCookie ){
log.trace "encrypting serialized session"
Cipher cipher = Cipher.getInstance(cryptoAlgorithm)
cipher.init( Cipher.ENCRYPT_MODE, cryptoKey )
output = cipher.doFinal(stream.toByteArray())
}
else{
output = stream.toByteArray()
}
log.trace "base64 encoding serialized session"
def serializedSession = output.encodeBase64().toString()
return serializedSession
}
SerializableSession deserializeSession( String serializedSession ){
log.trace "deserializeSession()"
def session = null
try
{
log.trace "decodeBase64 serialized session"
def input = serializedSession.decodeBase64()
if( encryptCookie ){
log.trace "decrypting cookie"
Cipher cipher = Cipher.getInstance(cryptoAlgorithm)
cipher.init( Cipher.DECRYPT_MODE, cryptoKey )
input = cipher.doFinal(input)
}
log.trace "decompressing and deserializing session"
def inputStream = new GZIPInputStream( new ByteArrayInputStream( input ) )
def objectInputStream = new ObjectInputStream(inputStream){
@Override
public Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
//noinspection GroovyUnusedCatchParameter
try {
return grailsApplication.classLoader.loadClass(desc.getName())
} catch (ClassNotFoundException ex) {
return Class.forName(desc.getName())
}
}
}
session = (SerializableSession)objectInputStream.readObject();
/*
.withObjectInputStream( grailsApplication.classLoader ){ ois ->
session = (SerializableSession)ois.readObject()
}
*/
}
catch( excp ){
log.error "An error occurred while deserializing a session. ${excp}}"
session = null
}
log.debug "deserialized session: ${session != null}"
return session
}
private String[] splitString(String input){
log.trace "splitString()"
def list = new String[cookieCount];
if( !input ){
log.trace "input empty or null."
return list
}
def partitions = input.size() / maxCookieSize
log.trace "splitting input of size ${input.size()} string into ${partitions} paritions"
//for( int i = 0; i < partitions; i++ ){
(0..partitions).each{ i ->
def start = i * maxCookieSize;
def end = start + maxCookieSize - 1
if( end >= input.size() )
end = start + input.size() % maxCookieSize - 1
log.trace "partition: ${i}, start: ${start}, end: ${end}"
list[i] = input[start..end]
}
return list
}
private String combineStrings(def input){
log.trace "combineStrings()"
def output = input.join()
log.trace "combined ${input.size()} strings into output of length ${output.size()}."
return output
}
String getDataFromCookie(HttpServletRequest request){
log.trace "getDataFromCookie()"
def values = request.cookies.findAll{ it.name.startsWith(cookieName) }?.sort{ it.name.split('-')[1].toInteger() }.collect{ it.value }
def data = combineStrings(values)
log.debug "retrieved ${data.size()} bytes of data from ${values.size()} session cookies."
return data
}
void putDataInCookie(HttpServletResponse response, String value){
log.trace "putDataInCookie() - ${value.size()}"
def partitions = splitString(value)
partitions.eachWithIndex{ it, i ->
Cookie c = new Cookie( "${cookieName}-${i}".toString(), it?:'')
c.setSecure(false)
c.setPath("/")
response.addCookie(c)
log.trace "added ${cookieName}-${i} to response"
}
log.debug "added ${partitions.size()} session cookies to response."
}
void deleteCookie(HttpServletResponse response){
log.trace "deleteCookie()"
Cookie c = new Cookie( cookieName, "" )
c.path = "/"
c.maxAge = 0
c.setVersion( 0 )
}
boolean isSessionIdValid(String sessionId){
log.trace "isSessionIdValid() : ${sessionId}"
return true;
}
}