Rewrote the flow according to last tests and strange LR behavior in session management
This commit is contained in:
Mauro Mugnaini
parent
fa407f471a
commit
b110e21b3f
|
|
@ -25,6 +25,7 @@ import org.gcube.common.scope.api.ScopeProvider;
|
||||||
import org.gcube.oidc.rest.JWTToken;
|
import org.gcube.oidc.rest.JWTToken;
|
||||||
import org.gcube.oidc.rest.OpenIdConnectConfiguration;
|
import org.gcube.oidc.rest.OpenIdConnectConfiguration;
|
||||||
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
|
||||||
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
|
||||||
import org.gcube.portal.oidc.lr62.JWTCacheProxy;
|
import org.gcube.portal.oidc.lr62.JWTCacheProxy;
|
||||||
import org.gcube.portal.oidc.lr62.JWTTokenUtil;
|
import org.gcube.portal.oidc.lr62.JWTTokenUtil;
|
||||||
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
|
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
|
||||||
|
|
@ -83,10 +84,17 @@ public class SmartGearsPortalValve extends ValveBase {
|
||||||
getNext().invoke(req, resp);
|
getNext().invoke(req, resp);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void checkUMATicket(HttpServletRequest request, String scope) {
|
private synchronized void checkUMATicket(HttpServletRequest request, String scope) {
|
||||||
|
_log.debug("Getting current user");
|
||||||
|
User user = getCurrentUser(request);
|
||||||
|
if (user == null) {
|
||||||
|
// Almost impossible
|
||||||
|
_log.error("Current user not found, cannot continue");
|
||||||
|
return;
|
||||||
|
}
|
||||||
HttpSession session = request.getSession(false);
|
HttpSession session = request.getSession(false);
|
||||||
if (session == null) {
|
if (session == null) {
|
||||||
_log.debug("Session is null");
|
_log.debug("Session is null, cannot continue");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
String urlEncodedScope = null;
|
String urlEncodedScope = null;
|
||||||
|
|
@ -97,36 +105,49 @@ public class SmartGearsPortalValve extends ValveBase {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
_log.debug("URL encoded scope is: {}", urlEncodedScope);
|
_log.debug("URL encoded scope is: {}", urlEncodedScope);
|
||||||
_log.debug("Getting UMA token from session");
|
_log.trace("Getting UMA token from session: {}", session);
|
||||||
JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session);
|
JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session);
|
||||||
if (umaToken == null) {
|
if (umaToken == null) {
|
||||||
_log.debug("UMA token not found in session");
|
_log.debug("UMA token not found in session. Trying to get it from cache proxy");
|
||||||
|
|
||||||
_log.debug("Getting current user");
|
|
||||||
User user = getCurrentUser(request);
|
|
||||||
if (user == null) {
|
|
||||||
// Almost impossible
|
|
||||||
_log.error("Current user not found, cannot continue");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
_log.debug("Trying to get UMA token from cache proxy");
|
|
||||||
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
|
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
|
||||||
}
|
}
|
||||||
|
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
|
if (JWTTokenUtil.getUMAFromSession(session) == null) {
|
||||||
|
_log.debug("Setting UMA token in session");
|
||||||
|
JWTTokenUtil.putUMAInSession(umaToken, session);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
|
||||||
|
_log.debug("UMA token is expired, trying to refresh it");
|
||||||
|
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
|
||||||
|
try {
|
||||||
|
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
|
||||||
|
_log.debug("Setting refreshed UMA token in cache proxy");
|
||||||
|
JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken);
|
||||||
|
_log.debug("Setting refreshed UMA token in session");
|
||||||
|
JWTTokenUtil.putUMAInSession(umaToken, session);
|
||||||
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
|
if (e.hasJSONPayload() && OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
|
||||||
|
_log.info("UMA token is no more active, get new one");
|
||||||
|
} else {
|
||||||
|
_log.warn("Refreshing UMA token on server", e);
|
||||||
|
}
|
||||||
|
umaToken = null;
|
||||||
|
_log.info("Removing probably inactive OIDC token from session");
|
||||||
|
JWTTokenUtil.removeOIDCFromSession(session);
|
||||||
|
_log.info("Removing all inactive UMA token from session and from cache proxy if present");
|
||||||
|
JWTTokenUtil.removeUMAFromSession(session);
|
||||||
|
JWTCacheProxy.getInstance().removeUMAToken(user, session);
|
||||||
|
}
|
||||||
|
}
|
||||||
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
|
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
boolean scopeIsChanged = false;
|
boolean scopeIsChanged = false;
|
||||||
if (umaToken == null) {
|
if (umaToken == null) {
|
||||||
_log.debug("UMA token is null. Getting new one...");
|
_log.debug("Getting new UMA token for scope {}", urlEncodedScope);
|
||||||
} else {
|
} else if (umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
scopeIsChanged = true;
|
scopeIsChanged = true;
|
||||||
_log.info("UMA token has been issued for another scope (" + umaToken.getAud()
|
_log.info("UMA token has been issued for another scope ({}). Getting new one for scope: {}",
|
||||||
+ "). Getting new one for scope: " + urlEncodedScope);
|
umaToken.getAud(), urlEncodedScope);
|
||||||
}
|
|
||||||
_log.debug("Getting current user");
|
|
||||||
User user = getCurrentUser(request);
|
|
||||||
if (user == null) {
|
|
||||||
// Almost impossible
|
|
||||||
_log.error("Current user not found, cannot continue");
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
_log.debug("Getting OIDC token from session");
|
_log.debug("Getting OIDC token from session");
|
||||||
JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session);
|
JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session);
|
||||||
|
|
@ -151,47 +172,29 @@ public class SmartGearsPortalValve extends ValveBase {
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken);
|
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken);
|
||||||
} catch (Exception e) {
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
_log.error("Refreshing OIDC token on server", e);
|
_log.error("Refreshing OIDC token on server", e);
|
||||||
|
// TODO check if a session not active token and consider if force redirect to /c/portal/logout
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
_log.debug("Setting refreshed OIDC token in cache proxy");
|
_log.debug("Setting refreshed OIDC token in cache proxy and in session");
|
||||||
JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken);
|
JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken);
|
||||||
_log.debug("Setting refreshed OIDC token in session");
|
|
||||||
JWTTokenUtil.putOIDCInSession(authToken, session);
|
JWTTokenUtil.putOIDCInSession(authToken, session);
|
||||||
}
|
}
|
||||||
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
|
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
|
||||||
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
|
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
|
||||||
authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
|
authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
|
||||||
} catch (Exception e) {
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
_log.error("Getting UMA token from server", e);
|
_log.error("Getting UMA token from server", e);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
_log.debug("Setting UMA token in cache proxy");
|
}
|
||||||
|
_log.debug("Setting UMA token in cache proxy and in session");
|
||||||
JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken);
|
JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken);
|
||||||
_log.debug("Setting UMA token in session");
|
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
JWTTokenUtil.putUMAInSession(umaToken, session);
|
||||||
} else {
|
|
||||||
if (umaToken.isExpired()) {
|
|
||||||
_log.debug("UMA token is expired, refreshing it");
|
|
||||||
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
|
|
||||||
try {
|
|
||||||
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
|
|
||||||
} catch (Exception e) {
|
|
||||||
_log.error("Refreshing UMA token on server", e);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
_log.debug("Setting refreshed UMA token in cache proxy");
|
|
||||||
JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken);
|
|
||||||
_log.debug("Setting refreshed UMA token in session");
|
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
|
||||||
} else if (JWTTokenUtil.getUMAFromSession(session) == null) {
|
|
||||||
_log.debug("Setting UMA token in session");
|
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
_log.debug("Current UMA token audience is: {}", umaToken.getAud());
|
_log.trace("Current UMA token audience is: {}", umaToken.getAud());
|
||||||
|
|
||||||
_log.debug("Setting UMA token in UMA JWT provider");
|
_log.debug("Setting UMA token in UMA JWT provider");
|
||||||
UmaJWTProvider.instance.set(umaToken.getRaw());
|
UmaJWTProvider.instance.set(umaToken.getRaw());
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue