Commit ce148e4a authored by Ard Schrijvers's avatar Ard Schrijvers

HSTTWO-4545 [Backport 11.2] In general don't cache jcr sessions any more

Although creating a session delegation is expensive, caching them via the
SecuritySessionDelegation is not needed any more: First of all, the
CmsSecurityValve doesn't need it: JCR Session is cached on http session

The ContentBeanUtils can easily cache the jcr session itself instead of
via the generic SecuritySessionDelegation methods

(cherry picked from commit e9b6ee4b)
parent daaa6efb
/*
* Copyright 2013 Hippo B.V. (http://www.onehippo.com)
* Copyright 2013-2019 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -52,16 +52,11 @@ public interface SessionSecurityDelegation {
/**
* Returns an existing {@link Session} if there is one on the hst request for <code>key</code>. If there is none, a
* {@link Session} delegate will be created, with flag <code>autoLogout</code> is <code>true</code>
* @return a security delegated session which combines the access control rules for {@link Session} belonging to <code>delegate</code>
* and the normal hst live session credentials <b>with</b> the addition of an extra wildcard domain rule hippo:availability = live. The
* {@link Session} is automatically logged out at the end of the hst request
* @throws RepositoryException
* @throws IllegalStateException if <code>securityDelegationEnabled</code> is false or in case the created sessions are not of type {@link org.hippoecm.repository.api.HippoSession}
* or when there is not <code>HstRequestContext</code> available
* @see #createLiveSecurityDelegate(javax.jcr.Credentials, boolean)
* @deprecated since 13.0.1 and 13.1.0 : Use {@link #createLiveSecurityDelegate(Credentials, boolean)} instead. The
* {@code key} parameter is not needed any more since we don't support returning same jcr session based on cachekey
* any more. Use autologout = true if you replace this method
*/
@Deprecated
Session getOrCreateLiveSecurityDelegate(Credentials delegate, String key) throws RepositoryException, IllegalStateException;
/**
......@@ -76,16 +71,11 @@ public interface SessionSecurityDelegation {
Session createLiveSecurityDelegate(Credentials delegate, boolean autoLogout) throws RepositoryException, IllegalStateException;
/**
* Returns an existing {@link Session} if there is one on the hst request for <code>key</code>. If there is none, a
* {@link Session} delegate will be created, with flag <code>autoLogout</code> is <code>true</code>
* @return a security delegated session which combines the access control rules for {@link Session} belonging to <code>delegate</code>
* and the normal hst live session credentials <b>with</b> the addition of an extra wildcard domain rule hippo:availability = live. The
* {@link Session} is automatically logged out at the end of the hst request
* @throws RepositoryException
* @throws IllegalStateException if <code>securityDelegationEnabled</code> is false or in case the created sessions are not of type {@link org.hippoecm.repository.api.HippoSession}
* or when there is not <code>HstRequestContext</code> available
* @see #createLiveSecurityDelegate(javax.jcr.Credentials, boolean)
* @deprecated since 13.0.1 and 13.1.0 : Use {@link #createPreviewSecurityDelegate(Credentials, boolean)} instead. The
* {@code key} parameter is not needed any more since we don't support returning same jcr session based on cachekey
* any more. Use autologout = true if you replace this method
*/
@Deprecated
Session getOrCreatePreviewSecurityDelegate(Credentials delegate, String key) throws RepositoryException, IllegalStateException;
/**
......
/*
* Copyright 2013 Hippo B.V. (http://www.onehippo.com)
* Copyright 2013-2019 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -103,10 +103,10 @@ public class SessionSecurityDelegationIT extends AbstractRepositoryTestCase {
final Session preview1 = sessionSecurityDelegation.getOrCreatePreviewSecurityDelegate(creds, "test123");
final Session preview2 = sessionSecurityDelegation.getOrCreatePreviewSecurityDelegate(creds, "test123");
assertTrue(live1 == live2);
assertTrue(live1 == live3);
assertFalse(live1 == live2);
assertFalse(live1 == live3);
assertFalse(live1 == live4);
assertTrue(preview1 == preview2);
assertFalse(preview1 == preview2);
assertFalse(live1 == preview1);
sessionSecurityDelegation.cleanupSessionDelegates(RequestContextProvider.get());
......
......@@ -767,6 +767,10 @@ public class ContentBeanUtils {
public static Session getPreviewCmsQuerySession(HstRequestContext requestContext, String sessionIdentifier) throws HstComponentException {
try {
final Session previewSecurityDelegate = (Session)requestContext.getAttribute(ContentBeanUtils.class.getName() + "." + sessionIdentifier);
if (previewSecurityDelegate != null) {
return previewSecurityDelegate;
}
SessionSecurityDelegation sessionSecurityDelegation = HstServices.getComponentManager().getComponent(SessionSecurityDelegation.class.getName());
if (!sessionSecurityDelegation.sessionSecurityDelegationEnabled()) {
log.debug("Security Delegation was expected to be enabled for cms request with non proxied session but it was not enabled. " +
......@@ -779,7 +783,9 @@ public class ContentBeanUtils {
throw new IllegalStateException("HttpServletRequest should contain cms user credentials attribute for cms requests");
}
// create a security delegated session that is automatically cleaned up at the end of the request
return sessionSecurityDelegation.getOrCreatePreviewSecurityDelegate(cmsUserCred, sessionIdentifier);
final Session newPreviewSecurityDelegate = sessionSecurityDelegation.createPreviewSecurityDelegate(cmsUserCred, true);
requestContext.setAttribute(ContentBeanUtils.class.getName() + "." + sessionIdentifier, newPreviewSecurityDelegate);
return previewSecurityDelegate;
} catch (RepositoryException e) {
throw new HstComponentException(e);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment