Merge "Allow plugins to replace the WebSession implementation"

gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java

@@ -15,7 +15,6 @@
 package com.google.gerrit.httpd;
 
 import static java.util.concurrent.TimeUnit.HOURS;
-import static java.util.concurrent.TimeUnit.MINUTES;
 
 import com.google.gerrit.httpd.WebSessionManager.Key;
 import com.google.gerrit.httpd.WebSessionManager.Val;
@@ -26,10 +25,7 @@ import com.google.gerrit.server.AnonymousUser;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.AuthResult;
-import com.google.gerrit.server.cache.CacheModule;
 import com.google.gerrit.server.config.AuthConfig;
-import com.google.inject.Inject;
-import com.google.inject.Module;
 import com.google.inject.Provider;
 import com.google.inject.servlet.RequestScoped;
 
@@ -42,25 +38,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @RequestScoped
-public final class CacheBasedWebSession implements WebSession {
+public abstract class CacheBasedWebSession implements WebSession {
   private static final String ACCOUNT_COOKIE = "GerritAccount";
-  static final long MAX_AGE_MINUTES = HOURS.toMinutes(12);
+  protected static final long MAX_AGE_MINUTES = HOURS.toMinutes(12);
-
-  public static Module module() {
-    return new CacheModule() {
-      @Override
-      protected void configure() {
-        persist(WebSessionManager.CACHE_NAME, String.class, Val.class)
-            .maximumWeight(1024) // reasonable default for many sites
-            .expireAfterWrite(MAX_AGE_MINUTES, MINUTES) // expire sessions if they are inactive
-        ;
-        bind(WebSessionManager.class);
-        bind(WebSession.class)
-          .to(CacheBasedWebSession.class)
-          .in(RequestScoped.class);
-      }
-    };
-  }
 
   private final HttpServletRequest request;
   private final HttpServletResponse response;
@@ -75,9 +55,9 @@ public final class CacheBasedWebSession implements WebSession {
   private Val val;
   private CurrentUser user;
 
-  @Inject
+  protected CacheBasedWebSession(final HttpServletRequest request,
-  CacheBasedWebSession(final HttpServletRequest request,
+      final HttpServletResponse response,
-      final HttpServletResponse response, final WebSessionManager manager,
+      final WebSessionManager manager,
       final AuthConfig authConfig,
       final Provider<AnonymousUser> anonymousProvider,
       final IdentifiedUser.RequestFactory identified) {

gerrit-httpd/src/main/java/com/google/gerrit/httpd/ContainerAuthFilter.java

@@ -17,12 +17,12 @@ package com.google.gerrit.httpd;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.account.AccountCache;
 import com.google.gerrit.server.account.AccountState;
 import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.eclipse.jgit.lib.Config;
@@ -54,12 +54,12 @@ import javax.servlet.http.HttpServletResponse;
 class ContainerAuthFilter implements Filter {
   public static final String REALM_NAME = "Gerrit Code Review";
 
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final AccountCache accountCache;
   private final Config config;
 
   @Inject
-  ContainerAuthFilter(Provider<WebSession> session, AccountCache accountCache,
+  ContainerAuthFilter(DynamicItem<WebSession> session, AccountCache accountCache,
       @GerritServerConfig Config config) {
     this.session = session;
     this.accountCache = accountCache;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/H2CacheBasedWebSession.java

@@ -0,0 +1,68 @@
+// Copyright (C) 2009 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd;
+
+import static java.util.concurrent.TimeUnit.MINUTES;
+
+import com.google.common.cache.Cache;
+import com.google.gerrit.extensions.registration.DynamicItem;
+import com.google.gerrit.httpd.WebSessionManager.Val;
+import com.google.gerrit.server.AnonymousUser;
+import com.google.gerrit.server.IdentifiedUser.RequestFactory;
+import com.google.gerrit.server.cache.CacheModule;
+import com.google.gerrit.server.config.AuthConfig;
+import com.google.inject.Inject;
+import com.google.inject.Module;
+import com.google.inject.Provider;
+import com.google.inject.assistedinject.FactoryModuleBuilder;
+import com.google.inject.name.Named;
+import com.google.inject.servlet.RequestScoped;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@RequestScoped
+public class H2CacheBasedWebSession extends CacheBasedWebSession {
+  public static Module module() {
+    return new CacheModule() {
+      @Override
+      protected void configure() {
+        persist(WebSessionManager.CACHE_NAME, String.class, Val.class)
+            .maximumWeight(1024) // reasonable default for many sites
+            .expireAfterWrite(CacheBasedWebSession.MAX_AGE_MINUTES, MINUTES) // expire sessions if they are inactive
+        ;
+        install(new FactoryModuleBuilder()
+            .build(WebSessionManagerFactory.class));
+        DynamicItem.itemOf(binder(), WebSession.class);
+        DynamicItem.bind(binder(), WebSession.class)
+          .to(H2CacheBasedWebSession.class)
+          .in(RequestScoped.class);
+      }
+    };
+  }
+
+  @Inject
+  H2CacheBasedWebSession(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      WebSessionManagerFactory managerFactory,
+      @Named(WebSessionManager.CACHE_NAME) Cache<String, Val> cache,
+      AuthConfig authConfig,
+      Provider<AnonymousUser> anonymousProvider,
+      RequestFactory identified) {
+    super(request, response, managerFactory.create(cache), authConfig,
+        anonymousProvider, identified);
+  }
+}

gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpLogoutServlet.java

@@ -18,6 +18,7 @@ import com.google.common.base.Strings;
 import com.google.gerrit.audit.AuditEvent;
 import com.google.gerrit.audit.AuditService;
 import com.google.gerrit.common.Nullable;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.AccountManager;
 import com.google.gerrit.server.config.AuthConfig;
@@ -37,14 +38,14 @@ import javax.servlet.http.HttpServletResponse;
 class HttpLogoutServlet extends HttpServlet {
   private static final long serialVersionUID = 1L;
 
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final Provider<String> urlProvider;
   private final String logoutUrl;
   private final AuditService audit;
 
   @Inject
   HttpLogoutServlet(final AuthConfig authConfig,
-      final Provider<WebSession> webSession,
+      final DynamicItem<WebSession> webSession,
       @CanonicalWebUrl @Nullable final Provider<String> urlProvider,
       final AccountManager accountManager,
       final AuditService audit) {

gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpRequestContext.java

@@ -14,6 +14,7 @@
 
 package com.google.gerrit.httpd;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.config.RequestScopedReviewDbProvider;
@@ -22,11 +23,11 @@ import com.google.inject.Inject;
 import com.google.inject.Provider;
 
 class HttpRequestContext implements RequestContext {
-  private final WebSession session;
+  private final DynamicItem<WebSession> session;
   private final RequestScopedReviewDbProvider provider;
 
   @Inject
-  HttpRequestContext(WebSession session,
+  HttpRequestContext(DynamicItem<WebSession> session,
       RequestScopedReviewDbProvider provider) {
     this.session = session;
     this.provider = provider;
@@ -34,7 +35,7 @@ class HttpRequestContext implements RequestContext {
 
   @Override
   public CurrentUser getCurrentUser() {
-    return session.getCurrentUser();
+    return session.get().getCurrentUser();
   }
 
   @Override

gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectBasicAuthFilter.java

@@ -18,6 +18,7 @@ import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 
 import com.google.common.base.Objects;
 import com.google.common.base.Strings;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.account.AccountCache;
 import com.google.gerrit.server.account.AccountException;
@@ -28,7 +29,6 @@ import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.auth.NoSuchUserException;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.apache.commons.codec.binary.Base64;
@@ -68,13 +68,13 @@ class ProjectBasicAuthFilter implements Filter {
   private static final String AUTHORIZATION = "Authorization";
   private static final String LIT_BASIC = "Basic ";
 
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final AccountCache accountCache;
   private final AccountManager accountManager;
   private final AuthConfig authConfig;
 
   @Inject
-  ProjectBasicAuthFilter(Provider<WebSession> session,
+  ProjectBasicAuthFilter(DynamicItem<WebSession> session,
       AccountCache accountCache, AccountManager accountManager,
       AuthConfig authConfig) {
     this.session = session;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/ProjectDigestFilter.java

@@ -21,6 +21,7 @@ import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 
 import com.google.gerrit.common.Nullable;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.account.AccountCache;
 import com.google.gerrit.server.account.AccountState;
@@ -70,7 +71,7 @@ class ProjectDigestFilter implements Filter {
   private static final String AUTHORIZATION = "Authorization";
 
   private final Provider<String> urlProvider;
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final AccountCache accountCache;
   private final Config config;
   private final SignedToken tokens;
@@ -78,7 +79,7 @@ class ProjectDigestFilter implements Filter {
 
   @Inject
   ProjectDigestFilter(@CanonicalWebUrl @Nullable Provider<String> urlProvider,
-      Provider<WebSession> session, AccountCache accountCache,
+      DynamicItem<WebSession> session, AccountCache accountCache,
       @GerritServerConfig Config config) throws XsrfException {
     this.urlProvider = urlProvider;
     this.session = session;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/RunAsFilter.java

@@ -17,6 +17,7 @@ package com.google.gerrit.httpd;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.restapi.RestApiServlet;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
@@ -24,7 +25,6 @@ import com.google.gerrit.server.account.AccountResolver;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import com.google.inject.servlet.ServletModule;
 
@@ -56,12 +56,12 @@ class RunAsFilter implements Filter {
   }
 
   private final boolean enabled;
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final AccountResolver accountResolver;
 
   @Inject
   RunAsFilter(AuthConfig config,
-      Provider<WebSession> session,
+      DynamicItem<WebSession> session,
       AccountResolver accountResolver) {
     this.enabled = config.isRunAsEnabled();
     this.session = session;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSessionManager.java

@@ -34,8 +34,7 @@ import com.google.gerrit.reviewdb.client.AccountExternalId;
 import com.google.gerrit.server.config.ConfigUtil;
 import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.inject.Inject;
-import com.google.inject.Singleton;
+import com.google.inject.assistedinject.Assisted;
-import com.google.inject.name.Named;
 
 import org.eclipse.jgit.lib.Config;
 import org.slf4j.Logger;
@@ -49,10 +48,9 @@ import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.concurrent.TimeUnit;
 
-@Singleton
+public class WebSessionManager {
-class WebSessionManager {
   private static final Logger log = LoggerFactory.getLogger(WebSessionManager.class);
-  static final String CACHE_NAME = "web_sessions";
+  public static final String CACHE_NAME = "web_sessions";
 
   private final long sessionMaxAgeMillis;
   private final SecureRandom prng;
@@ -60,7 +58,7 @@ class WebSessionManager {
 
   @Inject
   WebSessionManager(@GerritServerConfig Config cfg,
-      @Named(CACHE_NAME) final Cache<String, Val> cache) {
+      @Assisted final Cache<String, Val> cache) {
     prng = new SecureRandom();
     self = cache;
 
@@ -180,7 +178,7 @@ class WebSessionManager {
     }
   }
 
-  static final class Val implements Serializable {
+  public static final class Val implements Serializable {
     static final long serialVersionUID = 2L;
 
     private transient Account.Id accountId;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSessionManagerFactory.java

@@ -0,0 +1,22 @@
+// Copyright (C) 2013 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd;
+
+import com.google.common.cache.Cache;
+import com.google.gerrit.httpd.WebSessionManager.Val;
+
+public interface WebSessionManagerFactory {
+  WebSessionManager create(Cache<String, Val> cache);
+}

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/become/BecomeAnyAccountLoginServlet.java

@@ -19,6 +19,7 @@ import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_USERNAM
 import com.google.common.base.Objects;
 import com.google.common.base.Strings;
 import com.google.gerrit.common.PageLinks;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.HtmlDomUtil;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.httpd.template.SiteHeaderFooter;
@@ -34,7 +35,6 @@ import com.google.gwtorm.server.OrmException;
 import com.google.gwtorm.server.ResultSet;
 import com.google.gwtorm.server.SchemaFactory;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.w3c.dom.Document;
@@ -59,12 +59,12 @@ class BecomeAnyAccountLoginServlet extends HttpServlet {
   private static final boolean IS_DEV = Boolean.getBoolean("Gerrit.GwtDevMode");
 
   private final SchemaFactory<ReviewDb> schema;
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final AccountManager accountManager;
   private final SiteHeaderFooter headers;
 
   @Inject
-  BecomeAnyAccountLoginServlet(final Provider<WebSession> ws,
+  BecomeAnyAccountLoginServlet(final DynamicItem<WebSession> ws,
       final SchemaFactory<ReviewDb> sf,
       final AccountManager am,
       final ServletContext servletContext,

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java

@@ -19,6 +19,7 @@ import static com.google.common.base.Strings.emptyToNull;
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_GERRIT;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.HtmlDomUtil;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.httpd.raw.HostPageServlet;
@@ -27,7 +28,6 @@ import com.google.gerrit.server.config.AuthConfig;
 import com.google.gwtexpui.server.CacheHeaders;
 import com.google.gwtjsonrpc.server.RPCServletUtils;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.eclipse.jgit.util.Base64;
@@ -57,7 +57,7 @@ import javax.servlet.http.HttpServletResponse;
  */
 @Singleton
 class HttpAuthFilter implements Filter {
-  private final Provider<WebSession> sessionProvider;
+  private final DynamicItem<WebSession> sessionProvider;
   private final byte[] signInRaw;
   private final byte[] signInGzip;
   private final String loginHeader;
@@ -65,7 +65,7 @@ class HttpAuthFilter implements Filter {
   private final String emailHeader;
 
   @Inject
-  HttpAuthFilter(final Provider<WebSession> webSession,
+  HttpAuthFilter(final DynamicItem<WebSession> webSession,
       final AuthConfig authConfig) throws IOException {
     this.sessionProvider = webSession;
 

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpLoginServlet.java

@@ -15,6 +15,7 @@
 package com.google.gerrit.httpd.auth.container;
 
 import com.google.gerrit.common.PageLinks;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.CanonicalWebUrl;
 import com.google.gerrit.httpd.HtmlDomUtil;
 import com.google.gerrit.httpd.WebSession;
@@ -25,7 +26,6 @@ import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gwtexpui.server.CacheHeaders;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.slf4j.Logger;
@@ -56,14 +56,14 @@ class HttpLoginServlet extends HttpServlet {
   private static final Logger log =
       LoggerFactory.getLogger(HttpLoginServlet.class);
 
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final CanonicalWebUrl urlProvider;
   private final AccountManager accountManager;
   private final HttpAuthFilter authFilter;
   private final AuthConfig authConfig;
 
   @Inject
-  HttpLoginServlet(final Provider<WebSession> webSession,
+  HttpLoginServlet(final DynamicItem<WebSession> webSession,
       final CanonicalWebUrl urlProvider,
       final AccountManager accountManager,
       final HttpAuthFilter authFilter,

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertAuthFilter.java

@@ -14,13 +14,13 @@
 
 package com.google.gerrit.httpd.auth.container;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.server.account.AccountException;
 import com.google.gerrit.server.account.AccountManager;
 import com.google.gerrit.server.account.AuthRequest;
 import com.google.gerrit.server.account.AuthResult;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.slf4j.Logger;
@@ -45,11 +45,11 @@ class HttpsClientSslCertAuthFilter implements Filter {
   private static final Logger log =
     LoggerFactory.getLogger(HttpsClientSslCertAuthFilter.class);
 
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final AccountManager accountManager;
 
   @Inject
-  HttpsClientSslCertAuthFilter(final Provider<WebSession> webSession,
+  HttpsClientSslCertAuthFilter(final DynamicItem<WebSession> webSession,
       final AccountManager accountManager) {
     this.webSession = webSession;
     this.accountManager = accountManager;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/ldap/LdapLoginServlet.java

@@ -18,6 +18,7 @@ import com.google.common.base.Objects;
 import com.google.common.base.Strings;
 import com.google.gerrit.common.Nullable;
 import com.google.gerrit.common.PageLinks;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.CanonicalWebUrl;
 import com.google.gerrit.httpd.HtmlDomUtil;
 import com.google.gerrit.httpd.WebSession;
@@ -30,7 +31,6 @@ import com.google.gerrit.server.account.AuthResult;
 import com.google.gerrit.server.auth.AuthenticationUnavailableException;
 import com.google.gwtexpui.server.CacheHeaders;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import org.slf4j.Logger;
@@ -54,13 +54,13 @@ class LdapLoginServlet extends HttpServlet {
       .getLogger(LdapLoginServlet.class);
 
   private final AccountManager accountManager;
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final CanonicalWebUrl urlProvider;
   private final SiteHeaderFooter headers;
 
   @Inject
   LdapLoginServlet(AccountManager accountManager,
-      Provider<WebSession> webSession,
+      DynamicItem<WebSession> webSession,
       CanonicalWebUrl urlProvider,
       SiteHeaderFooter headers) {
     this.accountManager = accountManager;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java

@@ -22,6 +22,7 @@ import com.google.common.primitives.Bytes;
 import com.google.gerrit.common.Version;
 import com.google.gerrit.common.data.GerritConfig;
 import com.google.gerrit.common.data.HostPageData;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.extensions.registration.DynamicSet;
 import com.google.gerrit.extensions.systemstatus.MessageOfTheDay;
 import com.google.gerrit.extensions.webui.WebUiPlugin;
@@ -70,7 +71,7 @@ public class HostPageServlet extends HttpServlet {
   private static final String HPD_ID = "gerrit_hostpagedata";
 
   private final Provider<CurrentUser> currentUser;
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final GerritConfig config;
   private final DynamicSet<WebUiPlugin> plugins;
   private final DynamicSet<MessageOfTheDay> messages;
@@ -84,7 +85,7 @@ public class HostPageServlet extends HttpServlet {
   private volatile Page page;
 
   @Inject
-  HostPageServlet(final Provider<CurrentUser> cu, final Provider<WebSession> w,
+  HostPageServlet(final Provider<CurrentUser> cu, final DynamicItem<WebSession> w,
       final SitePaths sp, final ThemeFactory themeFactory,
       final GerritConfig gc, final ServletContext servletContext,
       final DynamicSet<WebUiPlugin> webUiPlugins,

gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java

@@ -47,6 +47,7 @@ import com.google.common.net.HttpHeaders;
 import com.google.gerrit.audit.AuditService;
 import com.google.gerrit.audit.HttpAuditEvent;
 import com.google.gerrit.common.Nullable;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.extensions.registration.DynamicMap;
 import com.google.gerrit.extensions.restapi.AcceptsCreate;
 import com.google.gerrit.extensions.restapi.AcceptsPost;
@@ -151,13 +152,13 @@ public class RestApiServlet extends HttpServlet {
 
   public static class Globals {
     final Provider<CurrentUser> currentUser;
-    final Provider<WebSession> webSession;
+    final DynamicItem<WebSession> webSession;
     final Provider<ParameterParser> paramParser;
     final AuditService auditService;
 
     @Inject
     Globals(Provider<CurrentUser> currentUser,
-        Provider<WebSession> webSession,
+        DynamicItem<WebSession> webSession,
         Provider<ParameterParser> paramParser,
         AuditService auditService) {
       this.currentUser = currentUser;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java

@@ -21,6 +21,7 @@ import com.google.gerrit.audit.RpcAuditEvent;
 import com.google.gerrit.common.audit.Audit;
 import com.google.gerrit.common.auth.SignInRequired;
 import com.google.gerrit.common.errors.NotSignedInException;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.server.AccessPath;
 import com.google.gerrit.server.CurrentUser;
@@ -32,7 +33,6 @@ import com.google.gwtjsonrpc.server.JsonServlet;
 import com.google.gwtjsonrpc.server.MethodHandle;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
-import com.google.inject.Provider;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -54,13 +54,13 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
       new ThreadLocal<>();
   private static final ThreadLocal<MethodHandle> currentMethod =
       new ThreadLocal<>();
-  private final Provider<WebSession> session;
+  private final DynamicItem<WebSession> session;
   private final RemoteJsonService service;
   private final AuditService audit;
 
 
   @Inject
-  GerritJsonServlet(final Provider<WebSession> w, final RemoteJsonService s,
+  GerritJsonServlet(final DynamicItem<WebSession> w, final RemoteJsonService s,
       final AuditService a) {
     session = w;
     service = s;

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/ExternalIdDetailFactory.java

@@ -16,6 +16,7 @@ package com.google.gerrit.httpd.rpc.account;
 
 import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_USERNAME;
 
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.httpd.rpc.Handler;
 import com.google.gerrit.reviewdb.client.AccountExternalId;
@@ -36,11 +37,11 @@ class ExternalIdDetailFactory extends Handler<List<AccountExternalId>> {
   private final ReviewDb db;
   private final IdentifiedUser user;
   private final AuthConfig authConfig;
-  private final WebSession session;
+  private final DynamicItem<WebSession> session;
 
   @Inject
   ExternalIdDetailFactory(final ReviewDb db, final IdentifiedUser user,
-      final AuthConfig authConfig, final WebSession session) {
+      final AuthConfig authConfig, final DynamicItem<WebSession> session) {
     this.db = db;
     this.user = user;
     this.authConfig = authConfig;
@@ -49,7 +50,7 @@ class ExternalIdDetailFactory extends Handler<List<AccountExternalId>> {
 
   @Override
   public List<AccountExternalId> call() throws OrmException {
-    final AccountExternalId.Key last = session.getLastLoginExternalId();
+    final AccountExternalId.Key last = session.get().getLastLoginExternalId();
     final List<AccountExternalId> ids =
         db.accountExternalIds().byAccount(user.getAccountId()).toList();
 

gerrit-openid/src/main/java/com/google/gerrit/httpd/auth/openid/OpenIdServiceImpl.java

@@ -16,6 +16,7 @@ package com.google.gerrit.httpd.auth.openid;
 
 import com.google.gerrit.common.PageLinks;
 import com.google.gerrit.common.auth.openid.OpenIdUrls;
+import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.httpd.CanonicalWebUrl;
 import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.reviewdb.client.Account;
@@ -90,7 +91,7 @@ class OpenIdServiceImpl {
   private static final String SCHEMA_LASTNAME =
       "http://schema.openid.net/namePerson/last";
 
-  private final Provider<WebSession> webSession;
+  private final DynamicItem<WebSession> webSession;
   private final Provider<IdentifiedUser> identifiedUser;
   private final CanonicalWebUrl urlProvider;
   private final AccountManager accountManager;
@@ -102,7 +103,7 @@ class OpenIdServiceImpl {
   private final int papeMaxAuthAge;
 
   @Inject
-  OpenIdServiceImpl(final Provider<WebSession> cf,
+  OpenIdServiceImpl(final DynamicItem<WebSession> cf,
       final Provider<IdentifiedUser> iu,
       CanonicalWebUrl up,
       @GerritServerConfig final Config config, final AuthConfig ac,

gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java

@@ -20,9 +20,9 @@ import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Objects;
 import com.google.gerrit.common.ChangeHookRunner;
 import com.google.gerrit.httpd.AllRequestFilter;
-import com.google.gerrit.httpd.CacheBasedWebSession;
 import com.google.gerrit.httpd.GerritUiOptions;
 import com.google.gerrit.httpd.GitOverHttpModule;
+import com.google.gerrit.httpd.H2CacheBasedWebSession;
 import com.google.gerrit.httpd.HttpCanonicalWebUrlProvider;
 import com.google.gerrit.httpd.RequestContextFilter;
 import com.google.gerrit.httpd.WebModule;
@@ -407,7 +407,7 @@ public class Daemon extends SiteProgram {
     }
     modules.add(RequestContextFilter.module());
     modules.add(AllRequestFilter.module());
-    modules.add(CacheBasedWebSession.module());
+    modules.add(H2CacheBasedWebSession.module());
     modules.add(HttpContactStoreConnection.module());
     modules.add(sysInjector.getInstance(GitOverHttpModule.class));
     modules.add(sysInjector.getInstance(WebModule.class));

gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java

@@ -332,7 +332,7 @@ public class WebAppInitializer extends GuiceServletContextListener
     } else {
       modules.add(new NoSshModule());
     }
-    modules.add(CacheBasedWebSession.module());
+    modules.add(H2CacheBasedWebSession.module());
     modules.add(HttpContactStoreConnection.module());
     modules.add(new HttpPluginModule());