SpringBoot Tomcat (7) Session, JSP and security management

The session with a cookie

A session is a piece of memory created on the server side. A session can be used to store some information and no need to regenerate it after a period of time. One client corresponds to one session, which is obtained by calling request.getSession() in Tomcat.

The whole logic of getSession() is simple, get the sessionId from the client and look at the sessions variable in standard Session Manager (key = sessionId, SessionId = “Session”; sessionId = “Session”; sessionId = “Session”; The cookie = JSESSIONID=XXX attribute is added to the request header. Its core method is Request->doGetSession().

StandardManager is the standard session manager, which manages all sessions. In addition to logging the sessionId, it also determines whether the session is expired, with the main logic in the backgroundProcess() method. The Tomcat container has a thread dedicated to performing background processing, and this thread is also looped indefinitely.

ContainerBase - > ContainerBackgroundProcessor - > processChildren () : / / perform background tasks container. BackgroundProcess (); Container[] children = container.findChildren(); for (int i = 0; i < children.length; i++) { if (children[i].getBackgroundProcessorDelay() <= 0) { processChildren(children[i]); }}Copy the code

It starts with Engine, whose child container is Host, whose child container is Context, and whose child container is Wrapper. The standard session manager determines whether a session is expired in the Context’s backgroundProcess() method. When Tomcat stops, the manager persists all SESSIONS belonging to the Web application to disk (stopInternal() method, note gracefully shutting down the service rather than stopping or restarting it directly) in a file named SESSIONS.ser. When Tomcat is started, this file is loaded again, which is represented by the sessions variable. After the loading is complete, the file will be deleted, so the existence of the file will not be seen after each successful startup.

The JSP and servlet

Tomcat matches the wrapper for each URL. JSP matches the wrapper for JSP. The corresponding Servlet class is JspServlet. All servlets start with its service(ServletRequest req, ServletResponse Res) method.

JSP recompile mechanism

The JSP reads the last modification time of the referenced JSP file each time, compared to the last modification time of the generated Class or Java Class, and deletes and recompiles the generated file if it is different. JspCompilationContext->compile(): jspcompiler.isoutdated ()

JSP compilation file

Compile ():Map

smaps = generateJava() Compiler->compile():generateClass(smaps). During Class generation, the last modification time of the Class is set to the last modification time of Java, with the corresponding line number.
,smapstratum>

We know that JSPS write Java code in HTML and servlets write HTML code in Java, so if a JSP file looks like this, the compiled Java class and main methods should look like the following figure

HttpJspBase is a subclass of HttpServlet. It is a Java class conforming to the Servlet specification. The HTML statement is written to the request body in the form of out.write.

Security policy and security management

Source code often see a similar System. GetSecurityManager (), security. The checkPermission (permission), the AccessController. The doPrivileged () code, It has to do with safety management. Security management refers to granting certain permissions to applications during development. Before performing certain operations, you should check permissions and refuse to perform operations if you do not have permissions.

Permission check in SpringBoot default does not open, open is one of two ways, one is added in the code System. SetSecurityManager (new SecurityManager ()), The other is a VM add parameters – Djava. Security. Manager,. Check the permissions eventually invokes the Java security. The AccessController. CheckPermission (Permission perm) static method, without Permission, An AccessControlException is thrown.

A security policy is a file that specifies the permissions granted to applications and assigns them based on the actual situation. If no security policy is specified, the default security policy of jre is used. This file is located in the lib/security directory.

There are also two ways to specify a security policy, one is to add system.setProperty (“java.security.policy”, “concrete file “) to the code, and the other is to add the parameter -djava.security.policy = concrete file to the VM.

Assume that the security policy has run-time and system-configured read and write permissions.

grant {
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "*", "write";
    permission java.lang.RuntimePermission "*";
};
Copy the code

Test with the following code

   public static void main(String[] args) throws Exception {
        System.setProperty("java.security.policy", "src/main/resources/policy.txt");
        System.setSecurityManager(new SecurityManager());
        dir();
        File fs = new File(dir() + "/temp.txt");
        fs.createNewFile();
    }

    public static String dir() {
        return System.getProperty("user.dir");
    }
Copy the code

This code will report an error at fs.createnewfile ().

When calling different modules (in this case different JARS), assuming that core modules call the common module, both modules need to have permissions to do so. Jdk provides a privilege mechanism, using the AccessController. The doPrivileged () can satisfy the caller permission check.

Change the permissions of the security policy file to the common module has run time and system configuration permissions.

grant codebase "file:demo-common/target/classes"{
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "*", "write";
    permission java.lang.RuntimePermission "*";
};
Copy the code

The code for the Common module is as follows

    public static String getDir() throws Exception {
        AccessController.doPrivileged((PrivilegedAction<String>) CommonDTO::dir);
        return dir();
    }

    private static String dir() {
        return System.getProperty("user.dir");
    }
Copy the code

The main function in the core module is changed to:

    public static void main(String[] args) throws Exception {
        System.setProperty("java.security.policy", "src/main/resources/policy.txt");
        System.setSecurityManager(new SecurityManager());
        CommonDTO.getDir();
    }
Copy the code

This code will report an error on the return dir() line.

SpringBoot Tomcat (7) Session, JSP and security management

The session with a cookie

The JSP and servlet

JSP recompile mechanism

JSP compilation file

Security policy and security management

Related Posts

You don’t know Node

Kubectx /kubens fast switch to manage k8S context and namespace

Python3 Scrapy Entry-level crawler crawls tens of thousands of dragnet jobs