org.jwall.web.audit.session
Class AbstractSessionTracker

java.lang.Object
  extended by org.jwall.web.audit.session.AbstractSessionTracker
All Implemented Interfaces:
AuditEventListener, SessionTracker
Direct Known Subclasses:
CookieSessionTracker, HeuristicSessionTracker

public abstract class AbstractSessionTracker
extends java.lang.Object
implements SessionTracker

This class is an abstract implementation of a simple session tracker and provides the basis for the tracker HeuristicSessionTracker and CookieSessionTracker.

Author:
Christian Bockermann <chris@jwall.org>

Field Summary
protected  java.util.Hashtable<java.lang.String,Session> activeSessions
           
protected  long sessionTimeOut
           
protected  java.util.List<Session> timedOutSessions
           
protected  int type
           
 
Constructor Summary
AbstractSessionTracker()
          This creates a new instance of this class which is based on the default timeout of 2 hours ( = 7200000 ms ).
AbstractSessionTracker(long timeout)
          This initializes the tracker with the given session-timeout.
 
Method Summary
 void eventArrived(AuditEvent event)
          This method tracks an AuditEvent object and creates a session if none existed yet.
protected  void expireSession(Session s)
          Remove the session from the hash of active sessions and store it in the list of timed-out sessions.
abstract  java.lang.String extractKey(AuditEvent evt)
          This method extracts the key-feature from an event which is used to identify the session that this event is related to.
protected  Session getSession(java.lang.String sessionId)
          This method returns the session with the given session-id.
 java.util.Collection<Session> getSessions()
          This method returns all the sessions (active and timed-out) that have been created by the session-tracker.
 long getSessionTimeOut()
          Returns the session-timeout that is used by this tracker.
 boolean isExpired(Session s, AuditEvent event)
          This method is used to check a session for expiration according to the date of the given audit-event.
 void reset()
          This method simply resets the session-tracker to the initial state which holds no sessions.
 void setSessionTimeOut(long s)
          This method is used to set the session-timeout.
 void setStrictSessions(boolean b)
          In a strict session the session-id is presumed to be created by the server-side application.
 java.lang.String toString()
          This method returns a string of all events grouped by their session-id.
 boolean usesStrictSessions()
          Returns true, if the tracker only produces strict sessions.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

sessionTimeOut

protected long sessionTimeOut

activeSessions

protected java.util.Hashtable<java.lang.String,Session> activeSessions

timedOutSessions

protected java.util.List<Session> timedOutSessions

type

protected int type
Constructor Detail

AbstractSessionTracker

public AbstractSessionTracker()
This creates a new instance of this class which is based on the default timeout of 2 hours ( = 7200000 ms ).


AbstractSessionTracker

public AbstractSessionTracker(long timeout)
This initializes the tracker with the given session-timeout.

Parameters:
timeout - The session-timeout in seconds.
Method Detail

eventArrived

public void eventArrived(AuditEvent event)
This method tracks an AuditEvent object and creates a session if none existed yet. Otherwise the existing session is touched.

Specified by:
eventArrived in interface AuditEventListener
Specified by:
eventArrived in interface SessionTracker
Parameters:
event - The AuditEvent instance that is to be associated with a session.

expireSession

protected void expireSession(Session s)
Remove the session from the hash of active sessions and store it in the list of timed-out sessions.

Parameters:
s - The session to expire.

getSession

protected Session getSession(java.lang.String sessionId)
This method returns the session with the given session-id.

Parameters:
sessionId - The id of the session that is to be retrieved.
Returns:
The appopriate session if it is still active or null if the session is inactive or does not exist at all.

getSessions

public java.util.Collection<Session> getSessions()
This method returns all the sessions (active and timed-out) that have been created by the session-tracker.

Specified by:
getSessions in interface SessionTracker
Returns:
A collection of session instances.

reset

public void reset()
This method simply resets the session-tracker to the initial state which holds no sessions.

Specified by:
reset in interface SessionTracker

isExpired

public boolean isExpired(Session s,
                         AuditEvent event)
This method is used to check a session for expiration according to the date of the given audit-event.

Parameters:
s - The session that is to be checked.
event - The event which defines the current date.
Returns:
true if the sessions' last access-time is no longer that a period of X seconds away from the events date. Here X is the session-timeout defined for this session-tracker.

setSessionTimeOut

public void setSessionTimeOut(long s)
This method is used to set the session-timeout. Modification of the timeout does not affect any of the sessions created so far.

Specified by:
setSessionTimeOut in interface SessionTracker
Parameters:
s - The number of seconds after which a session is to be timed out.

getSessionTimeOut

public long getSessionTimeOut()
Returns the session-timeout that is used by this tracker.

Specified by:
getSessionTimeOut in interface SessionTracker
Returns:
The number of seconds that a session is kept active without any events related to it.

setStrictSessions

public void setStrictSessions(boolean b)
In a strict session the session-id is presumed to be created by the server-side application. Thus only sessions for which the server responded with a session identifier are assumed to be valid. This prevents the tracker from trusting any requests of a simple session-guessing attack.

Specified by:
setStrictSessions in interface SessionTracker
Parameters:
b - Wether this tracker should only track strict sessions.

usesStrictSessions

public boolean usesStrictSessions()
Description copied from interface: SessionTracker
Returns true, if the tracker only produces strict sessions.

Specified by:
usesStrictSessions in interface SessionTracker
Returns:
Wether the tracker is using strict sessioning only.

extractKey

public abstract java.lang.String extractKey(AuditEvent evt)
This method extracts the key-feature from an event which is used to identify the session that this event is related to. This might be the remote-address, a special request-parameter or a cookie.

Parameters:
evt - The event from which to extract the session-id.
Returns:
A string that identifies the session associated with this event.

toString

public java.lang.String toString()
This method returns a string of all events grouped by their session-id.

Overrides:
toString in class java.lang.Object
Returns:
A string holding all sessions