java/src/main/com/google/appengine/tools/development/SerializableObjectsOnlyHashSessionManager.java

   1 // Copyright 2012 Google Inc. All Rights Reserved.
   2 package com.google.appengine.tools.development;
   3
   4 import org.mortbay.jetty.servlet.AbstractSessionManager;
   5 import org.mortbay.jetty.servlet.HashSessionManager;
   6
   7 import java.io.ByteArrayOutputStream;
   8 import java.io.IOException;
   9 import java.io.ObjectOutputStream;
  10 import java.io.Serializable;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpSession;
  14
  15 /**
  16  * A specialization of {@link HashSessionManager} that creates {@link HttpSession} objects that only
  17  * allow the insertion of {@link Serializable} objects.
  18  *
  19  */
  20 class SerializableObjectsOnlyHashSessionManager extends HashSessionManager {
  21
  22   @Override
  23   protected AbstractSessionManager.Session newSession(HttpServletRequest request) {
  24     return new SerializableObjectsOnlyHttpSession(request);
  25   }
  26
  27   /**
  28    * An {@link HttpSession} implementation for the dev appserver that only allows the insertion of
  29    * {@link Serializable} objects. The behavior here differs slightly from production in that
  30    * this implementation fails immediately, while prod fails at the end of the request. The
  31    * important thing, though, is that both implementations fail on non-serializable objects.
  32    */
  33   class SerializableObjectsOnlyHttpSession extends HashSessionManager.Session {
  34
  35     public SerializableObjectsOnlyHttpSession(HttpServletRequest request) {
  36       super(request);
  37     }
  38
  39     @Override
  40     public void setAttribute(String s, Object o) {
  41       super.setAttribute(s, checkCanSerialize(o));
  42     }
  43
  44     @Override
  45     public void putValue(String s, Object o) {
  46       super.putValue(s, checkCanSerialize(o));
  47     }
  48
  49     /**
  50      * Verifies the given object can be serialized. This may introduce performance overhead, but
  51      * it's comparable to what users will see in prod since we serialize their session data there as
  52      * well.
  53      *
  54      * @param value The object to serialize.
  55      * @return The value that was passed in.
  56      */
  57     Object checkCanSerialize(Object value) {
  58       ByteArrayOutputStream baos = new ByteArrayOutputStream();
  59       try {
  60         ObjectOutputStream oos = new ObjectOutputStream(baos);
  61         oos.writeObject(value);
  62       } catch (IOException ex) {
  63         throw new RuntimeException(ex);
  64       }
  65       return value;
  66     }
  67   }
  68 }