FWK-208: Tratamento de uso de sessão com REST

Task-Url: https://demoiselle.atlassian.net/browse/FWK-208

FWK-208: Tratamento de uso de sessão com REST
Task-Url: https://demoiselle.atlassian.net/browse/FWK-208
Cleverson Sacramento
1 parent acdef681
Showing 5 changed files with 122 additions and 6 deletions Show diff stats
impl/extension/rest/src/main/java/br/gov/frameworkdemoiselle/internal/implementation/DefaultExceptionMapper.java
impl/extension/rest/src/main/java/br/gov/frameworkdemoiselle/internal/implementation/SessionNotPermittedListener.java
impl/extension/rest/src/main/java/br/gov/frameworkdemoiselle/security/SessionNotPermittedFilter.java
impl/extension/rest/src/main/resources/META-INF/web-fragment.xml
impl/extension/rest/src/test/java/test/Tests.java
@@ -25,7 +25,7 @@ public class DefaultExceptionMapper implements ExceptionMapper&lt;Throwable&gt; {
 		String message = getBundle().getString("internal-server-error");
 		getLogger().log(SEVERE, message, exception);
-		return Response.status(INTERNAL_SERVER_ERROR).entity(message).build();
+		return Response.status(INTERNAL_SERVER_ERROR).entity(message).type("text/plain").build();
 	}
 	private ResourceBundle getBundle() {
 package br.gov.frameworkdemoiselle.internal.implementation;
+import static javax.servlet.SessionTrackingMode.URL;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.enterprise.event.Observes;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import javax.servlet.SessionTrackingMode;
 import javax.servlet.annotation.WebListener;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSessionEvent;
 import javax.servlet.http.HttpSessionListener;
+import br.gov.frameworkdemoiselle.transaction.BeforeTransactionComplete;
+import br.gov.frameworkdemoiselle.util.Beans;
+
 @WebListener
-public class SessionNotPermittedListener implements HttpSessionListener {
+public class SessionNotPermittedListener implements ServletContextListener, HttpSessionListener {
+
+	private static final String ATTR_NAME = "br.gov.frameworkdemoiselle.SESSION_NOT_PERMITTED";
+
+	private static final String ATTR_VALUE = "created";
+
+	public void contextInitialized(ServletContextEvent event) {
+		Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
+		modes.add(URL);
+		event.getServletContext().setSessionTrackingModes(modes);
+	}
+
+	public void contextDestroyed(ServletContextEvent event) {
+	}
 	@Override
 	public void sessionCreated(HttpSessionEvent event) {
-		// event.getSession().invalidate();
-		// throw new IllegalStateException("Session use is not permitted.");
+		HttpServletRequest request = Beans.getReference(HttpServletRequest.class);
+		request.setAttribute(ATTR_NAME, ATTR_VALUE);
+		event.getSession().invalidate();
 	}
 	@Override
 	public void sessionDestroyed(HttpSessionEvent event) {
 	}
+
+	public void beforeTransactionComplete(@Observes BeforeTransactionComplete event) {
+		HttpServletRequest request = Beans.getReference(HttpServletRequest.class);
+
+		if (ATTR_VALUE.equals(request.getAttribute(ATTR_NAME))) {
+			throw new IllegalStateException("Session use is not permitted.");
+		}
+	}
 }
@@ -0,0 +1,70 @@
+/*
+ * Demoiselle Framework
+ * Copyright (C) 2010 SERPRO
+ * ----------------------------------------------------------------------------
+ * This file is part of Demoiselle Framework.
+ * 
+ * Demoiselle Framework is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License version 3
+ * as published by the Free Software Foundation.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License version 3
+ * along with this program; if not,  see <http://www.gnu.org/licenses/>
+ * or write to the Free Software Foundation, Inc., 51 Franklin Street,
+ * Fifth Floor, Boston, MA  02110-1301, USA.
+ * ----------------------------------------------------------------------------
+ * Este arquivo é parte do Framework Demoiselle.
+ * 
+ * O Framework Demoiselle é um software livre; você pode redistribuí-lo e/ou
+ * modificá-lo dentro dos termos da GNU LGPL versão 3 como publicada pela Fundação
+ * do Software Livre (FSF).
+ * 
+ * Este programa é distribuído na esperança que possa ser útil, mas SEM NENHUMA
+ * GARANTIA; sem uma garantia implícita de ADEQUAÇÃO a qualquer MERCADO ou
+ * APLICAÇÃO EM PARTICULAR. Veja a Licença Pública Geral GNU/LGPL em português
+ * para maiores detalhes.
+ * 
+ * Você deve ter recebido uma cópia da GNU LGPL versão 3, sob o título
+ * "LICENCA.txt", junto com esse programa. Se não, acesse <http://www.gnu.org/licenses/>
+ * ou escreva para a Fundação do Software Livre (FSF) Inc.,
+ * 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, USA.
+ */
+package br.gov.frameworkdemoiselle.security;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+public class SessionNotPermittedFilter implements Filter {
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+			ServletException {
+
+		chain.doFilter(request, response);
+
+		if ("x".equals(request.getAttribute("x"))) {
+			HttpServletResponse r = (HttpServletResponse) response;
+			r.setStatus(500);
+		}
+	}
+
+	@Override
+	public void destroy() {
+	}
+}
@@ -40,6 +40,17 @@
 	<name>demoiselle_rest</name>
+	<!--
+	<filter>
+		<filter-name>Demoiselle Session Not Permitted Filter</filter-name>
+		<filter-class>br.gov.frameworkdemoiselle.security.SessionNotPermittedFilter</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>Demoiselle Session Not Permitted Filter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	-->
+	
 	<filter>
 		<filter-name>Demoiselle BasicAuth Filter</filter-name>
 		<filter-class>br.gov.frameworkdemoiselle.security.BasicAuthFilter</filter-class>
@@ -57,7 +57,7 @@ import br.gov.frameworkdemoiselle.internal.implementation.ConstraintViolationExc
 import br.gov.frameworkdemoiselle.internal.implementation.DefaultExceptionMapper;
 import br.gov.frameworkdemoiselle.internal.implementation.HttpViolationExceptionMapper;
 import br.gov.frameworkdemoiselle.internal.implementation.IllegalArgumentExceptionMapper;
-import br.gov.frameworkdemoiselle.internal.implementation.SessionNotPermittedListener;
+import br.gov.frameworkdemoiselle.internal.implementation.SessionNotPermittedAlertListener;
 import br.gov.frameworkdemoiselle.security.AbstractHTTPAuthorizationFilter;
 import br.gov.frameworkdemoiselle.security.BasicAuthFilter;
 import br.gov.frameworkdemoiselle.security.RESTSecurityConfig;
@@ -98,7 +98,7 @@ public final class Tests {
 				.addClass(IllegalArgumentExceptionMapper.class)
 				.addClass(DefaultExceptionMapper.class)
 				.addClass(HttpViolationExceptionMapper.class)
-				.addClass(SessionNotPermittedListener.class)
+				.addClass(SessionNotPermittedAlertListener.class)
 				.addClass(AbstractHTTPAuthorizationFilter.class)
 				.addClass(BasicAuthFilter.class)
 				.addClass(RESTSecurityConfig.class)
	@@ -25,7 +25,7 @@ public class DefaultExceptionMapper implements ExceptionMapper<Throwable> {		@@ -25,7 +25,7 @@ public class DefaultExceptionMapper implements ExceptionMapper<Throwable> {
25	String message = getBundle().getString("internal-server-error");	25	String message = getBundle().getString("internal-server-error");
26	getLogger().log(SEVERE, message, exception);	26	getLogger().log(SEVERE, message, exception);
27		27
28	- return Response.status(INTERNAL_SERVER_ERROR).entity(message).build();	28	+ return Response.status(INTERNAL_SERVER_ERROR).entity(message).type("text/plain").build();
29	}	29	}
30		30
31	private ResourceBundle getBundle() {	31	private ResourceBundle getBundle() {
1	package br.gov.frameworkdemoiselle.internal.implementation;	1	package br.gov.frameworkdemoiselle.internal.implementation;
2		2
		3	+import static javax.servlet.SessionTrackingMode.URL;
		4	+
		5	+import java.util.HashSet;
		6	+import java.util.Set;
		7	+
		8	+import javax.enterprise.event.Observes;
		9	+import javax.servlet.ServletContextEvent;
		10	+import javax.servlet.ServletContextListener;
		11	+import javax.servlet.SessionTrackingMode;
3	import javax.servlet.annotation.WebListener;	12	import javax.servlet.annotation.WebListener;
		13	+import javax.servlet.http.HttpServletRequest;
4	import javax.servlet.http.HttpSessionEvent;	14	import javax.servlet.http.HttpSessionEvent;
5	import javax.servlet.http.HttpSessionListener;	15	import javax.servlet.http.HttpSessionListener;
6		16
		17	+import br.gov.frameworkdemoiselle.transaction.BeforeTransactionComplete;
		18	+import br.gov.frameworkdemoiselle.util.Beans;
		19	+
7	@WebListener	20	@WebListener
8	-public class SessionNotPermittedListener implements HttpSessionListener {	21	+public class SessionNotPermittedListener implements ServletContextListener, HttpSessionListener {
		22	+
		23	+ private static final String ATTR_NAME = "br.gov.frameworkdemoiselle.SESSION_NOT_PERMITTED";
		24	+
		25	+ private static final String ATTR_VALUE = "created";
		26	+
		27	+ public void contextInitialized(ServletContextEvent event) {
		28	+ Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
		29	+ modes.add(URL);
		30	+ event.getServletContext().setSessionTrackingModes(modes);
		31	+ }
		32	+
		33	+ public void contextDestroyed(ServletContextEvent event) {
		34	+ }
9		35
10	@Override	36	@Override
11	public void sessionCreated(HttpSessionEvent event) {	37	public void sessionCreated(HttpSessionEvent event) {
12	- // event.getSession().invalidate();
13	- // throw new IllegalStateException("Session use is not permitted.");	38	+ HttpServletRequest request = Beans.getReference(HttpServletRequest.class);
		39	+ request.setAttribute(ATTR_NAME, ATTR_VALUE);
		40	+ event.getSession().invalidate();
14	}	41	}
15		42
16	@Override	43	@Override
17	public void sessionDestroyed(HttpSessionEvent event) {	44	public void sessionDestroyed(HttpSessionEvent event) {
18	}	45	}
		46	+
		47	+ public void beforeTransactionComplete(@Observes BeforeTransactionComplete event) {
		48	+ HttpServletRequest request = Beans.getReference(HttpServletRequest.class);
		49	+
		50	+ if (ATTR_VALUE.equals(request.getAttribute(ATTR_NAME))) {
		51	+ throw new IllegalStateException("Session use is not permitted.");
		52	+ }
		53	+ }
19	}	54	}
@@ -0,0 +1,70 @@		@@ -0,0 +1,70 @@
	1	+/*
	2	+ * Demoiselle Framework
	3	+ * Copyright (C) 2010 SERPRO
	4	+ * ----------------------------------------------------------------------------
	5	+ * This file is part of Demoiselle Framework.
	6	+ *
	7	+ * Demoiselle Framework is free software; you can redistribute it and/or
	8	+ * modify it under the terms of the GNU Lesser General Public License version 3
	9	+ * as published by the Free Software Foundation.
	10	+ *
	11	+ * This program is distributed in the hope that it will be useful,
	12	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	+ * GNU General Public License for more details.
	15	+ *
	16	+ * You should have received a copy of the GNU Lesser General Public License version 3
	17	+ * along with this program; if not, see <http://www.gnu.org/licenses/>
	18	+ * or write to the Free Software Foundation, Inc., 51 Franklin Street,
	19	+ * Fifth Floor, Boston, MA 02110-1301, USA.
	20	+ * ----------------------------------------------------------------------------
	21	+ * Este arquivo é parte do Framework Demoiselle.
	22	+ *
	23	+ * O Framework Demoiselle é um software livre; você pode redistribuí-lo e/ou
	24	+ * modificá-lo dentro dos termos da GNU LGPL versão 3 como publicada pela Fundação
	25	+ * do Software Livre (FSF).
	26	+ *
	27	+ * Este programa é distribuído na esperança que possa ser útil, mas SEM NENHUMA
	28	+ * GARANTIA; sem uma garantia implícita de ADEQUAÇÃO a qualquer MERCADO ou
	29	+ * APLICAÇÃO EM PARTICULAR. Veja a Licença Pública Geral GNU/LGPL em português
	30	+ * para maiores detalhes.
	31	+ *
	32	+ * Você deve ter recebido uma cópia da GNU LGPL versão 3, sob o título
	33	+ * "LICENCA.txt", junto com esse programa. Se não, acesse <http://www.gnu.org/licenses/>
	34	+ * ou escreva para a Fundação do Software Livre (FSF) Inc.,
	35	+ * 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, USA.
	36	+ */
	37	+package br.gov.frameworkdemoiselle.security;
	38	+
	39	+import java.io.IOException;
	40	+
	41	+import javax.servlet.Filter;
	42	+import javax.servlet.FilterChain;
	43	+import javax.servlet.FilterConfig;
	44	+import javax.servlet.ServletException;
	45	+import javax.servlet.ServletRequest;
	46	+import javax.servlet.ServletResponse;
	47	+import javax.servlet.http.HttpServletResponse;
	48	+
	49	+public class SessionNotPermittedFilter implements Filter {
	50	+
	51	+ @Override
	52	+ public void init(FilterConfig filterConfig) throws ServletException {
	53	+ }
	54	+
	55	+ @Override
	56	+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
	57	+ ServletException {
	58	+
	59	+ chain.doFilter(request, response);
	60	+
	61	+ if ("x".equals(request.getAttribute("x"))) {
	62	+ HttpServletResponse r = (HttpServletResponse) response;
	63	+ r.setStatus(500);
	64	+ }
	65	+ }
	66	+
	67	+ @Override
	68	+ public void destroy() {
	69	+ }
	70	+}
	@@ -40,6 +40,17 @@		@@ -40,6 +40,17 @@
40		40
41	<name>demoiselle_rest</name>	41	<name>demoiselle_rest</name>
42		42
		43	+ <!--
		44	+ <filter>
		45	+ <filter-name>Demoiselle Session Not Permitted Filter</filter-name>
		46	+ <filter-class>br.gov.frameworkdemoiselle.security.SessionNotPermittedFilter</filter-class>
		47	+ </filter>
		48	+ <filter-mapping>
		49	+ <filter-name>Demoiselle Session Not Permitted Filter</filter-name>
		50	+ <url-pattern>/*</url-pattern>
		51	+ </filter-mapping>
		52	+ -->
		53	+
43	<filter>	54	<filter>
44	<filter-name>Demoiselle BasicAuth Filter</filter-name>	55	<filter-name>Demoiselle BasicAuth Filter</filter-name>
45	<filter-class>br.gov.frameworkdemoiselle.security.BasicAuthFilter</filter-class>	56	<filter-class>br.gov.frameworkdemoiselle.security.BasicAuthFilter</filter-class>
	@@ -57,7 +57,7 @@ import br.gov.frameworkdemoiselle.internal.implementation.ConstraintViolationExc		@@ -57,7 +57,7 @@ import br.gov.frameworkdemoiselle.internal.implementation.ConstraintViolationExc
57	import br.gov.frameworkdemoiselle.internal.implementation.DefaultExceptionMapper;	57	import br.gov.frameworkdemoiselle.internal.implementation.DefaultExceptionMapper;
58	import br.gov.frameworkdemoiselle.internal.implementation.HttpViolationExceptionMapper;	58	import br.gov.frameworkdemoiselle.internal.implementation.HttpViolationExceptionMapper;
59	import br.gov.frameworkdemoiselle.internal.implementation.IllegalArgumentExceptionMapper;	59	import br.gov.frameworkdemoiselle.internal.implementation.IllegalArgumentExceptionMapper;
60	-import br.gov.frameworkdemoiselle.internal.implementation.SessionNotPermittedListener;	60	+import br.gov.frameworkdemoiselle.internal.implementation.SessionNotPermittedAlertListener;
61	import br.gov.frameworkdemoiselle.security.AbstractHTTPAuthorizationFilter;	61	import br.gov.frameworkdemoiselle.security.AbstractHTTPAuthorizationFilter;
62	import br.gov.frameworkdemoiselle.security.BasicAuthFilter;	62	import br.gov.frameworkdemoiselle.security.BasicAuthFilter;
63	import br.gov.frameworkdemoiselle.security.RESTSecurityConfig;	63	import br.gov.frameworkdemoiselle.security.RESTSecurityConfig;
	@@ -98,7 +98,7 @@ public final class Tests {		@@ -98,7 +98,7 @@ public final class Tests {
98	.addClass(IllegalArgumentExceptionMapper.class)	98	.addClass(IllegalArgumentExceptionMapper.class)
99	.addClass(DefaultExceptionMapper.class)	99	.addClass(DefaultExceptionMapper.class)
100	.addClass(HttpViolationExceptionMapper.class)	100	.addClass(HttpViolationExceptionMapper.class)
101	- .addClass(SessionNotPermittedListener.class)	101	+ .addClass(SessionNotPermittedAlertListener.class)
102	.addClass(AbstractHTTPAuthorizationFilter.class)	102	.addClass(AbstractHTTPAuthorizationFilter.class)
103	.addClass(BasicAuthFilter.class)	103	.addClass(BasicAuthFilter.class)
104	.addClass(RESTSecurityConfig.class)	104	.addClass(RESTSecurityConfig.class)