From 66487c3b255e28506f12a59571c97571b0dcbb47 Mon Sep 17 00:00:00 2001 From: wcrisman Date: Fri, 11 Jul 2014 15:39:28 -0700 Subject: [PATCH] Fixed bug in handling of sessions - some non-standard web apps (forwarding domains for example) in fact will have null sessions attached to their connections. Non-breaking change. --- .../src/com/foundation/web/WebApplication.java | 1 + .../com/foundation/web/server/WebServer.java | 17 +++++++++-------- .../web/interfaces/IWebApplication.java | 2 +- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/Foundation Web Application/src/com/foundation/web/WebApplication.java b/Foundation Web Application/src/com/foundation/web/WebApplication.java index e0657c6..ecba9e1 100644 --- a/Foundation Web Application/src/com/foundation/web/WebApplication.java +++ b/Foundation Web Application/src/com/foundation/web/WebApplication.java @@ -682,6 +682,7 @@ public void processRequest(final IRequest request, final IResponse response, fin }//if// if(!ignoreRequest) { + //Note: Session should always be non-null for a standard web app.// synchronized(session) { resourceRequestHandler.processRequest(request, response, session == null ? null : (SessionData) session.getApplicationData(), session == null ? null : (SecureSessionData) (isSecure ? session.getApplicationSecureData() : null), isSecure, connectionContext); //Update the repository with the session changes as necessary.// diff --git a/Foundation Web Core/src/com/foundation/web/server/WebServer.java b/Foundation Web Core/src/com/foundation/web/server/WebServer.java index 2b0e9f0..7c07f3e 100644 --- a/Foundation Web Core/src/com/foundation/web/server/WebServer.java +++ b/Foundation Web Core/src/com/foundation/web/server/WebServer.java @@ -2975,15 +2975,16 @@ private boolean processClientRequest(SocketContext context, final Request reques clientHadBadSession = request.getSessionId() != null; hasNewSessionData = true; - //Basic error checking.// - if(session == null) { - throw new RuntimeException("WebApplication failure: Cannot return a null value from IWebApplication.createSession()"); - }//if// + //Removed this code: Cannot disallow null sessions because then forwarding apps would need to fake a session. +// //Basic error checking.// +// if(session == null) { +// throw new RuntimeException("WebApplication failure: Cannot return a null value from IWebApplication.createSession()"); +// }//if// }//if// //If we are handling a secure connection then setup or locate the secure session object.// if(context.sslEngine != null) { - if((request.getSecureSessionId() != null) && (session.getSecureSessionId() != null)) { + if((request.getSecureSessionId() != null) && (session != null) && (session.getSecureSessionId() != null)) { if(session.getSecureSessionId().equals(request.getSecureSessionId())) { allowSecureAccess = true; }//if// @@ -2991,7 +2992,7 @@ private boolean processClientRequest(SocketContext context, final Request reques Debug.log(new RuntimeException("Error: The client did not send the correct secure session id with the request!")); }//else// }//if// - else if(session.getSecureSessionId() == null) { + else if(session != null && session.getSecureSessionId() == null) { //TODO: Remove if(debug) { Debug.log("SC: " + context.id + " Creating Secure Session"); @@ -3009,7 +3010,7 @@ private boolean processClientRequest(SocketContext context, final Request reques //Save the session immediately since the requested resource might not indicate to the application that the session was updated.// //Note: We shouldn't have any problems with multiple threads from the same client each creating their own session data since every browser should start with a single thread requesting a single resource before multiple threads are used to download all the child resources.// - if(hasNewSessionData) { + if(session != null && hasNewSessionData) { //Store the session store in the db.// session.updateRepository(); }//if// @@ -3073,7 +3074,7 @@ private boolean processClientRequest(SocketContext context, final Request reques * Processes a client request. * @param request The request. * @param response The response container. - * @param session The session for the request. This will never be null, even if the application does not use session data (or provide a SessionData instance). + * @param session The session for the request. This may be null in the case of non-standard web applications such as a forwarding domain. * @param allowSecureAccess Whether the session's secure sessions should be accessable. * @param clientHadBadSession Whether the client's request contained a session reference that could not be found on the server. * @return Whether request is in a receive state. Will be false if the request generated a response that could not be completely transmitted. diff --git a/Foundation Web Interfaces/src/com/foundation/web/interfaces/IWebApplication.java b/Foundation Web Interfaces/src/com/foundation/web/interfaces/IWebApplication.java index 26b523a..d4431d2 100644 --- a/Foundation Web Interfaces/src/com/foundation/web/interfaces/IWebApplication.java +++ b/Foundation Web Interfaces/src/com/foundation/web/interfaces/IWebApplication.java @@ -165,7 +165,7 @@ public void createSecureSession(ISession session); * Processes a request from the client associated with the session. The result is placed in the response object. * @param request The request metadata. * @param response The response metadata. - * @param session The session context for the request (never null). This is *NOT* the Session Data or Secure Session Data that the application provides, but they are accessable from this session. Provide internal (to the web server) session related data. + * @param session The session context for the request. May be null in the case of a non-standard web app such as a forwarding domain. This is *NOT* the Session Data or Secure Session Data that the application provides, but they are accessable from this session. Provide internal (to the web server) session related data. * @param isSecure Whether the request was made over a secure connection and provided the correct secure id. * @param clientHadBadSession Whether the client's request contained a session reference that could not be found on the server. * @param connectionContext The context object for the connection (socket) between the client (web browser) and server (web server).