EAF 7.6 Implementation

com.lutris.appserver.server.sessionEnhydra
Class StandardSessionKeyGen

java.lang.Object
  extended by java.lang.Thread
      extended by com.lutris.appserver.server.sessionEnhydra.StandardSessionKeyGen
All Implemented Interfaces:
java.lang.Runnable

public class StandardSessionKeyGen
extends java.lang.Thread

The session random key generator. This class implements a background thread that wakes up and counts the number of Standard Session Manager requests completed at one or more different interval periods, and supplements the seed of the Manager's random number generator in order to make the value of the cookies extremely unpredictable. This is an absolute requirement if random cookie values are to be used for any type of security purpose. This random number generator uses the JDK 1.1 SecureRandom object, which implements a cryptographic grade random number generator based on the RSA MD5 one-way hash. In combination with external user-generated time delay information, the numbers generated by this object are highly unpredictable, and therefore suitably secure for their use as session keys.

Version:
$Revision: 1.2 $
Author:
John Marco, Shawn McMurdo

Nested Class Summary
 
Nested classes/interfaces inherited from class java.lang.Thread
java.lang.Thread.State, java.lang.Thread.UncaughtExceptionHandler
 
Field Summary
 
Fields inherited from class java.lang.Thread
MAX_PRIORITY, MIN_PRIORITY, NORM_PRIORITY
 
Constructor Summary
StandardSessionKeyGen(long[] intervals)
          Constructor a new key generator random number entropy generator.
 
Method Summary
 void incrementRandomCounter()
          Increment the random counter.
 java.lang.String newSessionKey()
          Generates a new random key to identify a session.
 void run()
          The main code body of the Idle Timer Thread.
 void shutdown()
          Shutdown the thread associated with this object.
 
Methods inherited from class java.lang.Thread
activeCount, checkAccess, countStackFrames, currentThread, destroy, dumpStack, enumerate, getAllStackTraces, getContextClassLoader, getDefaultUncaughtExceptionHandler, getId, getName, getPriority, getStackTrace, getState, getThreadGroup, getUncaughtExceptionHandler, holdsLock, interrupt, interrupted, isAlive, isDaemon, isInterrupted, join, join, join, resume, setContextClassLoader, setDaemon, setDefaultUncaughtExceptionHandler, setName, setPriority, setUncaughtExceptionHandler, sleep, sleep, start, stop, stop, suspend, toString, yield
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

StandardSessionKeyGen

public StandardSessionKeyGen(long[] intervals)
Constructor a new key generator random number entropy generator. Initializes timers and counters and start a thread.

Parameters:
manager - The Standard session manager to be randomized.
intervals - An array of one or more intervals, in seconds in which to periodically supplement the random number generator with external user-generated entropy.
Method Detail

run

public void run()
The main code body of the Idle Timer Thread. Enters an endless loop that sleeps for a configurable period, periodically waking up to modify the session manager's random seed. An externally incremented count is used as a source of user-generated randomness.

Specified by:
run in interface java.lang.Runnable
Overrides:
run in class java.lang.Thread

incrementRandomCounter

public void incrementRandomCounter()
Increment the random counter. Used for randomization, so doesn't have to be completely accurate and is not sychronized. The normal way to use this is to increment it on requests generated by external sources.


newSessionKey

public java.lang.String newSessionKey()
Generates a new random key to identify a session. This key represents a random integer that is large and sparse enough to make it highly unlikely that a valid session key can be guessed by an intruder. The randomizer object is used to generate this key.

This function is reentrant and does not need synchronization.

Returns:
A string representing a random key. The characters in this key are constrained to [A-Za-z0-9_-]. The encoding is more or less Base 64, but instead of '+' and '/' as defined in RFC1521, the characters '_' and '-' are used because they are safe in URLs and file names.

shutdown

public void shutdown()
Shutdown the thread associated with this object.


EAF 7.6 Implementation