From 25446eb2216f146caefdcb0fbae7617dd7c5c6cf Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Tue, 28 Sep 2010 04:28:38 +0000 Subject: JETTY-1281 Create new session after authentication git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2304 7e9141cc-0065-0410-87d8-b60c137991c4 --- .../org/eclipse/jetty/security/Authenticator.java | 10 +++-- .../jetty/security/ConstraintSecurityHandler.java | 23 ++++------- .../security/DefaultAuthenticatorFactory.java | 6 +-- .../eclipse/jetty/security/SecurityHandler.java | 23 ++++++++++- .../authentication/BasicAuthenticator.java | 3 ++ .../authentication/ClientCertAuthenticator.java | 3 ++ .../authentication/DigestAuthenticator.java | 3 ++ .../security/authentication/FormAuthenticator.java | 6 ++- .../authentication/LoginAuthenticator.java | 44 +++++++++++++++++++++- 9 files changed, 95 insertions(+), 26 deletions(-) (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security') diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java index 0852bf5f9b..ef18620371 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/Authenticator.java @@ -22,6 +22,7 @@ import javax.servlet.ServletResponse; import org.eclipse.jetty.server.Authentication; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Authentication.User; +import org.eclipse.jetty.server.SessionManager; /** * Authenticator Interface @@ -40,7 +41,7 @@ public interface Authenticator * Configure the Authenticator * @param configuration */ - void setConfiguration(Configuration configuration); + void setConfiguration(AuthConfiguration configuration); /* ------------------------------------------------------------ */ /** @@ -80,7 +81,7 @@ public interface Authenticator /** * Authenticator Configuration */ - interface Configuration + interface AuthConfiguration { String getAuthMethod(); String getRealmName(); @@ -88,16 +89,17 @@ public interface Authenticator Set getInitParameterNames(); LoginService getLoginService(); IdentityService getIdentityService(); + boolean isSessionRenewedOnAuthentication(); } /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */ /** - * Authenticator Facotory + * Authenticator Factory */ interface Factory { - Authenticator getAuthenticator(Server server, ServletContext context, Configuration configuration, IdentityService identityService, LoginService loginService); + Authenticator getAuthenticator(Server server, ServletContext context, AuthConfiguration configuration, IdentityService identityService, LoginService loginService); } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 2526b19d0d..bd783ce1f0 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -29,7 +29,10 @@ import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.HttpConnection; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.server.SessionManager; import org.eclipse.jetty.server.UserIdentity; +import org.eclipse.jetty.server.handler.ContextHandler; +import org.eclipse.jetty.server.session.SessionHandler; import org.eclipse.jetty.util.StringMap; /* ------------------------------------------------------------ */ @@ -45,6 +48,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr private final Set _roles = new CopyOnWriteArraySet(); private final PathMap _constraintMap = new PathMap(); private boolean _strict = true; + private SessionHandler _sessionHandler; /* ------------------------------------------------------------ */ @@ -92,13 +96,6 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr return _roles; } - /* ------------------------------------------------------------ */ - @Deprecated - public void setConstraintMappings(ConstraintMapping[] constraintMappings) - { - setConstraintMappings(Arrays.asList(constraintMappings),null); - } - /* ------------------------------------------------------------ */ /** * Process the constraints following the combining rules in Servlet 3.0 EA @@ -112,14 +109,6 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr { setConstraintMappings(constraintMappings,null); } - - - /* ------------------------------------------------------------ */ - @Deprecated - public void setConstraintMappings(ConstraintMapping[] constraintMappings, Set roles) - { - setConstraintMappings(Arrays.asList(constraintMappings),roles); - } /* ------------------------------------------------------------ */ /** @@ -226,6 +215,10 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr processContraintMapping(mapping); } } + + if (ContextHandler.getCurrentContext()!=null) + _sessionHandler = ContextHandler.getCurrentContext().getContextHandler().getNestedHandlerByClass(SessionHandler.class); + super.doStart(); } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java index bec4b347c1..3f3d12b83e 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java @@ -16,7 +16,7 @@ package org.eclipse.jetty.security; import javax.servlet.ServletContext; import org.eclipse.jetty.http.security.Constraint; -import org.eclipse.jetty.security.Authenticator.Configuration; +import org.eclipse.jetty.security.Authenticator.AuthConfiguration; import org.eclipse.jetty.security.authentication.BasicAuthenticator; import org.eclipse.jetty.security.authentication.ClientCertAuthenticator; import org.eclipse.jetty.security.authentication.DigestAuthenticator; @@ -26,7 +26,7 @@ import org.eclipse.jetty.server.Server; /* ------------------------------------------------------------ */ /** * The Default Authenticator Factory. - * Uses the {@link Configuration#getAuthMethod()} to select an {@link Authenticator} from:
    + * Uses the {@link AuthConfiguration#getAuthMethod()} to select an {@link Authenticator} from:
      *
    • {@link org.eclipse.jetty.security.authentication.BasicAuthenticator}
      • *
    • {@link org.eclipse.jetty.security.authentication.DigestAuthenticator}
      • *
    • {@link org.eclipse.jetty.security.authentication.FormAuthenticator}
      • @@ -48,7 +48,7 @@ public class DefaultAuthenticatorFactory implements Authenticator.Factory { LoginService _loginService; - public Authenticator getAuthenticator(Server server, ServletContext context, Configuration configuration, IdentityService identityService, LoginService loginService) + public Authenticator getAuthenticator(Server server, ServletContext context, AuthConfiguration configuration, IdentityService identityService, LoginService loginService) { String auth=configuration.getAuthMethod(); Authenticator authenticator=null; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 0d78853666..1817419032 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -50,7 +50,7 @@ import org.eclipse.jetty.util.log.Log; * values in the SecurityHandler init parameters, are copied. * */ -public abstract class SecurityHandler extends HandlerWrapper implements Authenticator.Configuration +public abstract class SecurityHandler extends HandlerWrapper implements Authenticator.AuthConfiguration { /* ------------------------------------------------------------ */ private boolean _checkWelcomeFiles = false; @@ -62,6 +62,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti private LoginService _loginService; private boolean _loginServiceShared; private IdentityService _identityService; + private boolean _renewSession=true; /* ------------------------------------------------------------ */ protected SecurityHandler() @@ -372,6 +373,26 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti } } + /* ------------------------------------------------------------ */ + /** + * @see org.eclipse.jetty.security.Authenticator.AuthConfiguration#isSessionRenewedOnAuthentication() + */ + public boolean isSessionRenewedOnAuthentication() + { + return _renewSession; + } + + /* ------------------------------------------------------------ */ + /** Set renew the session on Authentication. + *

      + * If set to true, then on authentication, the session associated with a reqeuest is invalidated and replaced with a new session. + * @see org.eclipse.jetty.security.Authenticator.AuthConfiguration#isSessionRenewedOnAuthentication() + */ + public void setSessionRenewedOnAuthentication(boolean renew) + { + _renewSession=renew; + } + /* ------------------------------------------------------------ */ /* * @see org.eclipse.jetty.server.Handler#handle(java.lang.String, diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index 5499923414..1b01db44a2 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -76,7 +76,10 @@ public class BasicAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,password); if (user!=null) + { + renewSessionOnAuthentication(request,response); return new UserAuthentication(this,user); + } } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java index f40b7e66e8..a754209b74 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/ClientCertAuthenticator.java @@ -75,7 +75,10 @@ public class ClientCertAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,credential); if (user!=null) + { + renewSessionOnAuthentication(request,response); return new UserAuthentication(this,user); + } } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index 9768b411c0..ad5295f538 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -127,7 +127,10 @@ public class DigestAuthenticator extends LoginAuthenticator { UserIdentity user = _loginService.login(digest.username,digest); if (user!=null) + { + renewSessionOnAuthentication(request,response); return new UserAuthentication(this,user); + } } else if (n == 0) stale = true; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index c546d40f7d..8edd0cafa2 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -93,10 +93,10 @@ public class FormAuthenticator extends LoginAuthenticator /* ------------------------------------------------------------ */ /** - * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.Configuration) + * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration) */ @Override - public void setConfiguration(Configuration configuration) + public void setConfiguration(AuthConfiguration configuration) { super.setConfiguration(configuration); String login=configuration.getInitParameter(FormAuthenticator.__FORM_LOGIN_PAGE); @@ -181,6 +181,8 @@ public class FormAuthenticator extends LoginAuthenticator UserIdentity user = _loginService.login(username,password); if (user!=null) { + session=renewSessionOnAuthentication(request,response); + // Redirect to original request String nuri; synchronized(session) diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index cf339d02cc..6e48881d30 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -13,21 +13,31 @@ package org.eclipse.jetty.security.authentication; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + import org.eclipse.jetty.security.Authenticator; import org.eclipse.jetty.security.IdentityService; import org.eclipse.jetty.security.LoginService; +import org.eclipse.jetty.server.SessionManager; public abstract class LoginAuthenticator implements Authenticator { protected final DeferredAuthentication _deferred=new DeferredAuthentication(this); protected LoginService _loginService; protected IdentityService _identityService; + private boolean _renewSession; protected LoginAuthenticator() { } - public void setConfiguration(Configuration configuration) + public void setConfiguration(AuthConfiguration configuration) { _loginService=configuration.getLoginService(); if (_loginService==null) @@ -35,10 +45,42 @@ public abstract class LoginAuthenticator implements Authenticator _identityService=configuration.getIdentityService(); if (_identityService==null) throw new IllegalStateException("No IdentityService for "+this+" in "+configuration); + _renewSession=configuration.isSessionRenewedOnAuthentication(); } public LoginService getLoginService() { return _loginService; } + + /* ------------------------------------------------------------ */ + /** Change the session when the request is authenticated for the first time + * @param request + * @param response + * @return The new session. + */ + protected HttpSession renewSessionOnAuthentication(HttpServletRequest request, HttpServletResponse response) + { + HttpSession httpSession = request.getSession(false); + if (_renewSession && httpSession!=null && httpSession.getAttribute("org.eclipse.jetty.security.secured")==null) + { + synchronized (this) + { + Map attributes = new HashMap(); + for (Enumeration e=httpSession.getAttributeNames();e.hasMoreElements();) + { + String name=e.nextElement(); + attributes.put(name,httpSession.getAttribute(name)); + httpSession.removeAttribute(name); + } + httpSession.invalidate(); + httpSession = request.getSession(true); + httpSession.setAttribute("org.eclipse.jetty.security.secured",Boolean.TRUE); + for (Map.Entry entry: attributes.entrySet()) + httpSession.setAttribute(entry.getKey(),entry.getValue()); + } + } + + return httpSession; + } } -- cgit v1.2.3