Examples with HttpSession - org.zaproxy.zap.extension.httpsessions.HttpSession

Example 1 with HttpSession

use of org.zaproxy.zap.extension.httpsessions.HttpSession in project zaproxy by zaproxy.

the class CookieBasedSessionManagementHelper method getMatchingHttpSession.

/**
	 * Gets the matching http session, if any, for a particular message containing a list of
	 * cookies, from a set of sessions.
	 * 
	 * @param sessions the existing sessions
	 * @param cookies the cookies present in the request header of the message
	 * @param siteTokens the tokens
	 * @return the matching http session, if any, or null if no existing session was found to match
	 *         all the tokens
	 */
public static HttpSession getMatchingHttpSession(final Collection<HttpSession> sessions, List<HttpCookie> cookies, final HttpSessionTokensSet siteTokens) {
    // Pre-checks
    if (sessions.isEmpty()) {
        return null;
    }
    List<HttpSession> matchingSessions = new LinkedList<>(sessions);
    for (String token : siteTokens.getTokensSet()) {
        // Get the corresponding cookie from the cookies list
        HttpCookie matchingCookie = null;
        for (HttpCookie cookie : cookies) {
            if (cookie.getName().equals(token)) {
                matchingCookie = cookie;
                break;
            }
        }
        // Filter the sessions that do not match the cookie value
        Iterator<HttpSession> it = matchingSessions.iterator();
        while (it.hasNext()) {
            if (!it.next().matchesToken(token, matchingCookie)) {
                it.remove();
            }
        }
    }
    // Return the matching session
    if (matchingSessions.size() >= 1) {
        if (matchingSessions.size() > 1) {
            log.warn("Multiple sessions matching the cookies from response. Using first one.");
        }
        return matchingSessions.get(0);
    }
    return null;
}

Also used : HttpSession(org.zaproxy.zap.extension.httpsessions.HttpSession) HttpCookie(java.net.HttpCookie) LinkedList(java.util.LinkedList)

Example 2 with HttpSession

use of org.zaproxy.zap.extension.httpsessions.HttpSession in project zaproxy by zaproxy.

the class ManualAuthenticationMethodType method getSetCredentialsForUserApiAction.

@Override
public ApiDynamicActionImplementor getSetCredentialsForUserApiAction() {
    return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_SESSION_NAME }, null) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
            int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
            // Make sure the type of authentication method is compatible
            if (!isTypeForMethod(context.getAuthenticationMethod())) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
            }
            // NOTE: no need to check if extension is loaded as this method
            // is called only if
            // the Users
            // extension is loaded
            ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
            User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
            if (user == null) {
                throw new ApiException(Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
            }
            String sessionName = ApiUtils.getNonEmptyStringParam(params, PARAM_SESSION_NAME);
            // Get the matching session
            ExtensionHttpSessions extensionHttpSessions = (ExtensionHttpSessions) Control.getSingleton().getExtensionLoader().getExtension(ExtensionHttpSessions.NAME);
            if (extensionHttpSessions == null) {
                throw new ApiException(Type.NO_IMPLEMENTOR, "HttpSessions extension is not loaded.");
            }
            List<HttpSession> sessions = extensionHttpSessions.getHttpSessionsForContext(context);
            HttpSession matchedSession = null;
            for (HttpSession session : sessions) {
                if (session.getName().equals(sessionName)) {
                    matchedSession = session;
                    break;
                }
            }
            if (matchedSession == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SESSION_NAME);
            }
            // Set the credentials
            ManualAuthenticationCredentials credentials = createAuthenticationCredentials();
            credentials.setSelectedSession(matchedSession);
            user.setAuthenticationCredentials(credentials);
        }
    };
}

Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) User(org.zaproxy.zap.users.User) JSONObject(net.sf.json.JSONObject) HttpSession(org.zaproxy.zap.extension.httpsessions.HttpSession) ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions) ApiException(org.zaproxy.zap.extension.api.ApiException)

Aggregations

HttpSession (org.zaproxy.zap.extension.httpsessions.HttpSession)2 HttpCookie (java.net.HttpCookie)1 LinkedList (java.util.LinkedList)1 JSONObject (net.sf.json.JSONObject)1 ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)1 ApiException (org.zaproxy.zap.extension.api.ApiException)1 ExtensionHttpSessions (org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)1 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)1 Context (org.zaproxy.zap.model.Context)1 User (org.zaproxy.zap.users.User)1