fix: 一次API调用创建一个session,导致内存泄漏

This commit is contained in:
chenjianxing 2021-08-05 21:04:16 +08:00 committed by jianxing
parent afb2198ea5
commit f9ea173955
4 changed files with 63 additions and 2 deletions

View File

@ -1,7 +1,10 @@
package io.metersphere.commons.utils;
import io.metersphere.security.CustomSessionIdGenerator;
import io.metersphere.security.CustomSessionManager;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.session.mgt.eis.AbstractSessionDAO;
import org.apache.shiro.web.servlet.Cookie;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
@ -78,13 +81,15 @@ public class ShiroUtils {
}
public static SessionManager getSessionManager(Long sessionTimeout, CacheManager cacheManager){
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
DefaultWebSessionManager sessionManager = new CustomSessionManager();
sessionManager.setSessionIdUrlRewritingEnabled(false);
sessionManager.setDeleteInvalidSessions(true);
sessionManager.setSessionValidationSchedulerEnabled(true);
sessionManager.setSessionIdCookie(ShiroUtils.getSessionIdCookie());
sessionManager.setGlobalSessionTimeout(sessionTimeout * 1000);// 超时时间ms
sessionManager.setCacheManager(cacheManager);
AbstractSessionDAO sessionDAO = (AbstractSessionDAO) sessionManager.getSessionDAO();
sessionDAO.setSessionIdGenerator(new CustomSessionIdGenerator());
//sessionManager.setSessionIdCookieEnabled(true);
return sessionManager;

View File

@ -28,6 +28,12 @@ public class ApiKeyFilter extends AnonymousFilter {
if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL"));
} else {
String id = (String) SecurityUtils.getSubject().getSession().getId();
// 防止调用时使用 ak 作为 cookie 跳过登入逻辑
if (id.length() < 20) {
SecurityUtils.getSubject().logout();
}
}
}

View File

@ -0,0 +1,19 @@
package io.metersphere.security;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.eis.SessionIdGenerator;
import java.io.Serializable;
import java.util.UUID;
public class CustomSessionIdGenerator implements SessionIdGenerator {
@Override
public Serializable generateId(Session session) {
String threadSessionId = CustomSessionManager.threadSessionId.get();
if (StringUtils.isNotBlank(threadSessionId)) {
return threadSessionId;
}
return UUID.randomUUID().toString();
}
}

View File

@ -0,0 +1,31 @@
package io.metersphere.security;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.Serializable;
public class CustomSessionManager extends DefaultWebSessionManager {
static final ThreadLocal<String> threadSessionId = new ThreadLocal<>();
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String id = null;
HttpServletRequest httpRequest = WebUtils.toHttp(request);
if (ApiKeyHandler.isApiKeyCall(httpRequest)) {
// API调用同一个ak使用同一个session避免调用频繁导致session过多内存泄漏
id = httpRequest.getHeader(ApiKeyHandler.API_ACCESS_KEY);
setSessionIdCookieEnabled(false);
threadSessionId.set(id);
return id;
}
// 线程池中线程可能会复用非api删除
threadSessionId.remove();
setSessionIdCookieEnabled(true);
return super.getSessionId(request, response);
}
}