feat(maintenance): add REST endpoints for session management (#35206)#35733
Merged
Conversation
Migrates the Logged Users tab off the legacy UserSessionAjax DWR class
by adding three REST endpoints on MaintenanceResource:
- GET /api/v1/maintenance/_sessions list active sessions
- DELETE /api/v1/maintenance/_sessions/{token} invalidate one session
- DELETE /api/v1/maintenance/_sessions invalidate all but caller
The HMAC obfuscation and 15-minute CSRF expiry from the legacy class are
preserved so raw HTTP session ids never leave the JVM. HMAC helpers are
extracted into a shared SessionTokenUtil; UserSessionAjax keeps the
static obfuscate/validate methods as @deprecated shims that delegate to
the utility, so existing DWR call sites remain unchanged.
Constant-time MessageDigest.isEqual replaces String.equals on token
comparison; explicit UTF-8 byte encoding replaces the platform default.
Covered by 7 unit tests (SessionTokenUtilTest) and 11 integration tests
(MaintenanceResourceIntegrationTest) including byte-for-byte parity with
the legacy implementation, CSRF expiry, self-kill rejection, and
unknown-token 404 paths.
Contributor
…in /_sessions Address review feedback on #35733: the previous code only surfaced "Unable to resolve anonymous user", which was confusing for admins calling /_sessions with a perfectly valid user. The real root cause — the primary PortalUtil.getUser lookup returning null or throwing — was hidden. - Log a warning the moment the primary lookup fails so operators can see the underlying issue even when the anonymous fallback succeeds. - If the anonymous fallback also fails, the thrown DotRuntimeException now names both failures in order, so the 500 response actually describes what went wrong.
jcastro-dotcms
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the Logged Users tab off the legacy UserSessionAjax DWR class by adding three REST endpoints on MaintenanceResource:
Covered by 7 unit tests (SessionTokenUtilTest) and 11 integration tests (MaintenanceResourceIntegrationTest) including byte-for-byte parity with the legacy implementation, CSRF expiry, self-kill rejection, and unknown-token 404 paths.
This PR fixes: #35193
This PR fixes: #35193