Hi,
It currently isn't possible to retrieve the SSL session ID (in the same
way as it's possible to retrieve the cipher suite or the client
certificates from the Restlet Request.
It could make sense to implement this, and I wouldn't mind contributing
a patch to do so. Feel free to put an RFE in the issue tracker.
However, the SSL sessions have nothing to do with the Servlet's session
(and they're unlikely to be suitable as a replacement for such sessions
anyway). It would be interesting to see your particular use-case.
(As Stefan was saying, if you're using sessions to maintain state
between requests, REST and Restlet are probably not the right tool for
your project, although sometimes cookies are a necessary compromise for
storing authentication tokens, even with REST services.)
On 24/02/2010 16:10, Stefan Meissner wrote:
> OK, does the same constraint apply for SSL sessions?
> Is it possible to get the SSL session IDs using Simple HTTPS server connector?
>
> Can the SSLSessionContext IDs be used in the same way as in servlet API like
> this:
>
> String sslID =
> (String)request.getAttribute("javax.servlet.request.ssl_session");
>
> What I did so far:
>
> Server server = component.getServers().add(Protocol.HTTPS, 8183);
> Series<Parameter> param = server.getContext().getParameters();
>
> param.add("keystorePath", "./mySrvKeystore");
> param.add("keystorePassword", "123456");
>
> HttpsServerHelper helper = new HttpsServerHelper(server);
>
> SSLContext sslContext;
> try {
> helper.start();
> sslContext = helper.getSslContext();
>
> Enumeration<byte[]> sessionIDs =
> sslcontext.getServerSessionContext().getIds();
>
> component.getDefaultHost().attach(new FilterApplication(sslContext));
>
> // Start the component.
> component.start();
>
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> I also called the getIds() method inside the FilterApplication
> (beforeHandle), but in most of the cases there is no session ID present upon
> request. And if there is one ID it contains weird characters such as the
> follwing
> session ID: K?>7?%?[?s�?#1GGb&?2�???^�?a??
>
> I've tried several charsets using:
> String sID = new String(id,"UTF-8");
> but I never get a better representation of the ID.
>
I'd guess what you get is an enumeration of byte arrays, not Strings. An
hexadecimal serialisation into string would probably be more
appropriate. This being said, you won't necessarily get the right ID
from this enumeration if there's more than one. Passing the SSLContext
to your resources doesn't sound like good design either (again, it
depends on what you do).
Best wishes,
Bruno.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2451688
