Skip to content

Commit 668ece9

Browse files
committed
Adopted SecureRandom to avoid predicable random numbers in session
1 parent 41fd20a commit 668ece9

File tree

1 file changed

+136
-135
lines changed

1 file changed

+136
-135
lines changed
Original file line numberDiff line numberDiff line change
@@ -1,141 +1,142 @@
11
/*
2-
*
3-
* * Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
4-
* *
5-
* * Licensed under the Apache License, Version 2.0 (the "License");
6-
* * you may not use this file except in compliance with the License.
7-
* * You may obtain a copy of the License at
8-
* *
9-
* * http://www.apache.org/licenses/LICENSE-2.0
10-
* *
11-
* * Unless required by applicable law or agreed to in writing, software
12-
* * distributed under the License is distributed on an "AS IS" BASIS,
13-
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14-
* * See the License for the specific language governing permissions and
15-
* * limitations under the License.
16-
* *
17-
* * For more information: http://www.orientechnologies.com
18-
*
19-
*/
2+
*
3+
* * Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
4+
* *
5+
* * Licensed under the Apache License, Version 2.0 (the "License");
6+
* * you may not use this file except in compliance with the License.
7+
* * You may obtain a copy of the License at
8+
* *
9+
* * http://www.apache.org/licenses/LICENSE-2.0
10+
* *
11+
* * Unless required by applicable law or agreed to in writing, software
12+
* * distributed under the License is distributed on an "AS IS" BASIS,
13+
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* * See the License for the specific language governing permissions and
15+
* * limitations under the License.
16+
* *
17+
* * For more information: http://www.orientechnologies.com
18+
*
19+
*/
2020
package com.orientechnologies.orient.server.network.protocol.http;
2121

2222
import com.orientechnologies.common.concur.resource.OSharedResourceAbstract;
23-
import com.orientechnologies.common.log.OLogManager;
24-
import com.orientechnologies.orient.core.Orient;
25-
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
26-
27-
import java.util.HashMap;
28-
import java.util.Iterator;
29-
import java.util.Map;
30-
import java.util.Map.Entry;
31-
import java.util.Random;
32-
import java.util.TimerTask;
23+
import com.orientechnologies.common.log.OLogManager;
24+
import com.orientechnologies.orient.core.Orient;
25+
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
26+
27+
import java.security.SecureRandom;
28+
import java.util.HashMap;
29+
import java.util.Iterator;
30+
import java.util.Map;
31+
import java.util.Map.Entry;
32+
import java.util.Random;
33+
import java.util.TimerTask;
3334

3435
/**
35-
* Handles the HTTP sessions such as a real HTTP Server.
36-
*
37-
* @author Luca Garulli
38-
*/
39-
public class OHttpSessionManager extends OSharedResourceAbstract {
40-
private static final OHttpSessionManager instance = new OHttpSessionManager();
41-
private Map<String, OHttpSession> sessions = new HashMap<String, OHttpSession>();
42-
private int expirationTime;
43-
private Random random = new Random();
44-
45-
protected OHttpSessionManager() {
46-
expirationTime = OGlobalConfiguration.NETWORK_HTTP_SESSION_EXPIRE_TIMEOUT.getValueAsInteger() * 1000;
47-
48-
Orient.instance().scheduleTask(new TimerTask() {
49-
@Override
50-
public void run() {
51-
final int expired = checkSessionsValidity();
52-
if (expired > 0)
53-
OLogManager.instance().debug(this, "Removed %d session because expired", expired);
54-
}
55-
}, expirationTime, expirationTime);
56-
}
57-
58-
public int checkSessionsValidity() {
59-
int expired = 0;
60-
61-
acquireExclusiveLock();
62-
try {
63-
final long now = System.currentTimeMillis();
64-
65-
Entry<String, OHttpSession> s;
66-
for (Iterator<Map.Entry<String, OHttpSession>> it = sessions.entrySet().iterator(); it.hasNext();) {
67-
s = it.next();
68-
69-
if (now - s.getValue().getUpdatedOn() > expirationTime) {
70-
// REMOVE THE SESSION
71-
it.remove();
72-
expired++;
73-
}
74-
}
75-
76-
} finally {
77-
releaseExclusiveLock();
78-
}
79-
80-
return expired;
81-
}
82-
83-
public OHttpSession[] getSessions() {
84-
acquireSharedLock();
85-
try {
86-
87-
return (OHttpSession[]) sessions.values().toArray(new OHttpSession[sessions.size()]);
88-
89-
} finally {
90-
releaseSharedLock();
91-
}
92-
}
93-
94-
public OHttpSession getSession(final String iId) {
95-
acquireSharedLock();
96-
try {
97-
98-
final OHttpSession sess = sessions.get(iId);
99-
if (sess != null)
100-
sess.updateLastUpdatedOn();
101-
return sess;
102-
103-
} finally {
104-
releaseSharedLock();
105-
}
106-
}
107-
108-
public String createSession(final String iDatabaseName, final String iUserName, final String iUserPassword) {
109-
acquireExclusiveLock();
110-
try {
111-
final String id = "OS" + System.currentTimeMillis() + random.nextLong();
112-
sessions.put(id, new OHttpSession(id, iDatabaseName, iUserName, iUserPassword));
113-
return id;
114-
115-
} finally {
116-
releaseExclusiveLock();
117-
}
118-
}
119-
120-
public OHttpSession removeSession(final String iSessionId) {
121-
acquireExclusiveLock();
122-
try {
123-
return sessions.remove(iSessionId);
124-
125-
} finally {
126-
releaseExclusiveLock();
127-
}
128-
}
129-
130-
public int getExpirationTime() {
131-
return expirationTime;
132-
}
133-
134-
public void setExpirationTime(int expirationTime) {
135-
this.expirationTime = expirationTime;
136-
}
137-
138-
public static OHttpSessionManager getInstance() {
139-
return instance;
140-
}
141-
}
36+
* Handles the HTTP sessions such as a real HTTP Server.
37+
*
38+
* @author Luca Garulli
39+
*/
40+
public class OHttpSessionManager extends OSharedResourceAbstract {
41+
private static final OHttpSessionManager instance = new OHttpSessionManager();
42+
private Map<String, OHttpSession> sessions = new HashMap<String, OHttpSession>();
43+
private int expirationTime;
44+
private Random random = new SecureRandom();
45+
46+
protected OHttpSessionManager() {
47+
expirationTime = OGlobalConfiguration.NETWORK_HTTP_SESSION_EXPIRE_TIMEOUT.getValueAsInteger() * 1000;
48+
49+
Orient.instance().scheduleTask(new TimerTask() {
50+
@Override
51+
public void run() {
52+
final int expired = checkSessionsValidity();
53+
if (expired > 0)
54+
OLogManager.instance().debug(this, "Removed %d session because expired", expired);
55+
}
56+
}, expirationTime, expirationTime);
57+
}
58+
59+
public int checkSessionsValidity() {
60+
int expired = 0;
61+
62+
acquireExclusiveLock();
63+
try {
64+
final long now = System.currentTimeMillis();
65+
66+
Entry<String, OHttpSession> s;
67+
for (Iterator<Map.Entry<String, OHttpSession>> it = sessions.entrySet().iterator(); it.hasNext();) {
68+
s = it.next();
69+
70+
if (now - s.getValue().getUpdatedOn() > expirationTime) {
71+
// REMOVE THE SESSION
72+
it.remove();
73+
expired++;
74+
}
75+
}
76+
77+
} finally {
78+
releaseExclusiveLock();
79+
}
80+
81+
return expired;
82+
}
83+
84+
public OHttpSession[] getSessions() {
85+
acquireSharedLock();
86+
try {
87+
88+
return (OHttpSession[]) sessions.values().toArray(new OHttpSession[sessions.size()]);
89+
90+
} finally {
91+
releaseSharedLock();
92+
}
93+
}
94+
95+
public OHttpSession getSession(final String iId) {
96+
acquireSharedLock();
97+
try {
98+
99+
final OHttpSession sess = sessions.get(iId);
100+
if (sess != null)
101+
sess.updateLastUpdatedOn();
102+
return sess;
103+
104+
} finally {
105+
releaseSharedLock();
106+
}
107+
}
108+
109+
public String createSession(final String iDatabaseName, final String iUserName, final String iUserPassword) {
110+
acquireExclusiveLock();
111+
try {
112+
final String id = "OS" + System.currentTimeMillis() + random.nextLong();
113+
sessions.put(id, new OHttpSession(id, iDatabaseName, iUserName, iUserPassword));
114+
return id;
115+
116+
} finally {
117+
releaseExclusiveLock();
118+
}
119+
}
120+
121+
public OHttpSession removeSession(final String iSessionId) {
122+
acquireExclusiveLock();
123+
try {
124+
return sessions.remove(iSessionId);
125+
126+
} finally {
127+
releaseExclusiveLock();
128+
}
129+
}
130+
131+
public int getExpirationTime() {
132+
return expirationTime;
133+
}
134+
135+
public void setExpirationTime(int expirationTime) {
136+
this.expirationTime = expirationTime;
137+
}
138+
139+
public static OHttpSessionManager getInstance() {
140+
return instance;
141+
}
142+
}

0 commit comments

Comments
 (0)