Remove the user of the session to store objects and rely on cache proxy only adding a mutex to avoid concurrency problems
This commit is contained in:
parent
1a0f9b5086
commit
fc18dda68e
|
@ -28,7 +28,6 @@ import org.gcube.oidc.rest.OpenIdConnectConfiguration;
|
||||||
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
|
||||||
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
|
||||||
import org.gcube.portal.oidc.lr62.JWTCacheProxy;
|
import org.gcube.portal.oidc.lr62.JWTCacheProxy;
|
||||||
import org.gcube.portal.oidc.lr62.JWTTokenUtil;
|
|
||||||
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
|
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -115,202 +114,161 @@ public class SmartGearsPortalValve extends ValveBase {
|
||||||
_log.debug("Current PURet user null");
|
_log.debug("Current PURet user null");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HttpSession session = request.getSession(false);
|
JWTToken umaToken = null;
|
||||||
if (session == null) {
|
synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) {
|
||||||
_log.debug("Session is null, cannot continue");
|
HttpSession session = request.getSession(false);
|
||||||
return;
|
if (session == null) {
|
||||||
} else {
|
_log.debug("Session is null, cannot continue");
|
||||||
_log.debug("Current session ID is {} and class instance is [{}]", session.getId(),
|
return;
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
}
|
|
||||||
String urlEncodedScope = null;
|
|
||||||
try {
|
|
||||||
urlEncodedScope = URLEncoder.encode(scope, "UTF-8");
|
|
||||||
} catch (UnsupportedEncodingException e) {
|
|
||||||
// Almost impossible
|
|
||||||
_log.error("Cannot URL encode scope", e);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
_log.debug("URL encoded scope is: {}", urlEncodedScope);
|
|
||||||
|
|
||||||
_log.trace("Getting UMA token from session {} [{}]", session.getId(), Integer.toHexString(session.hashCode()));
|
|
||||||
JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session);
|
|
||||||
if (umaToken == null) {
|
|
||||||
_log.debug("UMA token not found in session. Trying to get it from cache proxy");
|
|
||||||
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
|
|
||||||
}
|
|
||||||
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
|
|
||||||
_log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials());
|
|
||||||
if (JWTTokenUtil.getUMAFromSession(session) == null) {
|
|
||||||
_log.debug("Setting UMA token also in current session {} [{}]", session.getId(),
|
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
|
||||||
}
|
}
|
||||||
} else if (JWTCacheProxy.getInstance().getUMAToken(user, session) != null
|
String sessionId = session.getId();
|
||||||
&& !JWTCacheProxy.getInstance().getUMAToken(user, session).isExpired()
|
_log.debug("Current session ID is {}", sessionId);
|
||||||
&& JWTCacheProxy.getInstance().getUMAToken(user, session).getAud().contains(urlEncodedScope)) {
|
String urlEncodedScope = null;
|
||||||
|
try {
|
||||||
_log.debug("Cache proxy already contains the suitable UMA token: {}", umaToken.getTokenEssentials());
|
urlEncodedScope = URLEncoder.encode(scope, "UTF-8");
|
||||||
_log.debug("Putting it also in session {} [{}] and using it", session.getId(),
|
} catch (UnsupportedEncodingException e) {
|
||||||
Integer.toHexString(session.hashCode()));
|
// Almost impossible
|
||||||
|
_log.error("Cannot URL encode scope", e);
|
||||||
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
|
return;
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
|
||||||
} else {
|
|
||||||
if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
|
|
||||||
_log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials());
|
|
||||||
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
|
|
||||||
.getConfiguration(request);
|
|
||||||
try {
|
|
||||||
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
|
|
||||||
_log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials());
|
|
||||||
JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken);
|
|
||||||
_log.debug("Setting refreshed UMA token in session {} [{}]", session.getId(),
|
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
|
||||||
} catch (OpenIdConnectRESTHelperException e) {
|
|
||||||
if (e.hasJSONPayload()) {
|
|
||||||
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
|
|
||||||
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
|
|
||||||
_log.warn("OIDC token is become invalid, forcing redirect to logout URI");
|
|
||||||
forceLogout(session, response);
|
|
||||||
} else {
|
|
||||||
_log.warn("OIDC token is become invalid, cannot continue");
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
} else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
|
|
||||||
_log.info("UMA token is no more active, get new one");
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
_log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e);
|
|
||||||
}
|
|
||||||
umaToken = null;
|
|
||||||
_log.info("Removing probably inactive OIDC token from session {} [{}}", session.getId(),
|
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTTokenUtil.removeOIDCFromSession(session);
|
|
||||||
_log.info("Removing all inactive UMA token from session {} [{}] and from cache proxy if present",
|
|
||||||
session.getId(), Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTTokenUtil.removeUMAFromSession(session);
|
|
||||||
JWTCacheProxy.getInstance().removeUMAToken(user, session);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
|
_log.debug("URL encoded scope is: {}", urlEncodedScope);
|
||||||
boolean scopeIsChanged = false;
|
|
||||||
if (umaToken == null) {
|
|
||||||
_log.debug("Getting new UMA token for scope {}", urlEncodedScope);
|
|
||||||
} else if (!umaToken.getAud().contains(urlEncodedScope)) {
|
|
||||||
scopeIsChanged = true;
|
|
||||||
_log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]",
|
|
||||||
urlEncodedScope, umaToken.getTokenEssentials());
|
|
||||||
}
|
|
||||||
_log.debug("Getting OIDC token from session {} [{}]", session.getId(),
|
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session);
|
_log.trace("Getting UMA token for session {}", sessionId);
|
||||||
if (authToken == null) {
|
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId);
|
||||||
_log.debug("OIDC token not found in session. Trying to get it from cache proxy");
|
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session);
|
_log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials());
|
||||||
if (authToken == null) {
|
} else {
|
||||||
_log.info("OIDC token is null also in cache proxy");
|
if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
|
||||||
if (FORCE_LOGOUT_ON_MISSING_OIDC) {
|
_log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials());
|
||||||
_log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI");
|
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
|
||||||
forceLogout(session, response);
|
.getConfiguration(request);
|
||||||
} else {
|
|
||||||
_log.error("OIDC token is null also in cache proxy, cannot continue!");
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
} else {
|
|
||||||
_log.debug("Setting OIDC token took from cache proxy in session {} [{}}", session.getId(),
|
|
||||||
Integer.toHexString(session.hashCode()));
|
|
||||||
|
|
||||||
JWTTokenUtil.putOIDCInSession(authToken, session);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
|
|
||||||
boolean isNotAuthorized = false;
|
|
||||||
int authorizationAttempts = 0;
|
|
||||||
do {
|
|
||||||
try {
|
try {
|
||||||
if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) {
|
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
|
||||||
if (isNotAuthorized) {
|
_log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials());
|
||||||
_log.info(
|
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
|
||||||
"UMA token is not authorized with current OIDC token, "
|
|
||||||
+ "refreshing it to be sure that new grants are present. "
|
|
||||||
+ "[attempts: {}]",
|
|
||||||
authorizationAttempts);
|
|
||||||
} else if (scopeIsChanged) {
|
|
||||||
_log.info(
|
|
||||||
"Scope is changed, refreshing token to be sure that new grants are present");
|
|
||||||
} else if (authToken.isExpired()) {
|
|
||||||
_log.debug("OIDC token is expired, trying to refresh it [{}]",
|
|
||||||
authToken.getTokenEssentials());
|
|
||||||
}
|
|
||||||
try {
|
|
||||||
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(),
|
|
||||||
authToken);
|
|
||||||
} catch (OpenIdConnectRESTHelperException e) {
|
|
||||||
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
|
|
||||||
_log.warn("Error refreshing OIDC token, force redirecting to logut URI");
|
|
||||||
forceLogout(session, response);
|
|
||||||
} else {
|
|
||||||
_log.error("Refreshing OIDC token on server", e);
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
_log.debug("Setting refreshed OIDC token in cache proxy and session");
|
|
||||||
JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken);
|
|
||||||
JWTTokenUtil.putOIDCInSession(authToken, session);
|
|
||||||
}
|
|
||||||
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
|
|
||||||
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
|
|
||||||
authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
|
|
||||||
|
|
||||||
} catch (OpenIdConnectRESTHelperException e) {
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
if (e.hasJSONPayload()) {
|
if (e.hasJSONPayload()) {
|
||||||
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
|
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
|
||||||
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
|
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
|
||||||
_log.warn("OIDC token is become invalid, forcing redirect to logout URI");
|
_log.warn("OIDC token is become invalid, forcing redirect to logout URI");
|
||||||
forceLogout(session, response);
|
forceLogout(response);
|
||||||
} else {
|
} else {
|
||||||
_log.error("OIDC token is become invalid, cannot continue");
|
_log.warn("OIDC token is become invalid, cannot continue");
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
} else if (OpenIdConnectRESTHelper
|
} else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
|
||||||
.isAccessDeniedNotAuthorizedError(e.getResponseString())) {
|
_log.info("UMA token is no more active, get new one");
|
||||||
_log.info("UMA token is" + (isNotAuthorized ? " still" : "")
|
|
||||||
+ " not authorized with actual OIDC token");
|
|
||||||
|
|
||||||
isNotAuthorized = true;
|
|
||||||
authorizationAttempts += 1;
|
|
||||||
if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) {
|
|
||||||
_log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY
|
|
||||||
+ " ms and refreshing the OIDC");
|
|
||||||
try {
|
|
||||||
Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY);
|
|
||||||
} catch (InterruptedException ie) {
|
|
||||||
ie.printStackTrace();
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
_log.warn("OIDC token refresh attempts exhausted");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_log.error("Getting UMA token from server", e);
|
_log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e);
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
umaToken = null;
|
||||||
|
_log.info("Removing inactive UMA token from cache proxy if present");
|
||||||
|
JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
|
||||||
}
|
}
|
||||||
} while (isNotAuthorized);
|
}
|
||||||
}
|
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
_log.debug("Setting UMA token in cache proxy and in session {} [{}]", session.getId(),
|
boolean scopeIsChanged = false;
|
||||||
Integer.toHexString(session.hashCode()));
|
if (umaToken == null) {
|
||||||
|
_log.debug("Getting new UMA token for scope {}", urlEncodedScope);
|
||||||
|
} else if (!umaToken.getAud().contains(urlEncodedScope)) {
|
||||||
|
scopeIsChanged = true;
|
||||||
|
_log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]",
|
||||||
|
urlEncodedScope, umaToken.getTokenEssentials());
|
||||||
|
}
|
||||||
|
_log.debug("Getting OIDC token from cache proxy");
|
||||||
|
|
||||||
JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken);
|
JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId);
|
||||||
JWTTokenUtil.putUMAInSession(umaToken, session);
|
if (authToken == null) {
|
||||||
|
_log.info("OIDC token is null also in cache proxy");
|
||||||
|
if (FORCE_LOGOUT_ON_MISSING_OIDC) {
|
||||||
|
_log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI");
|
||||||
|
forceLogout(response);
|
||||||
|
} else {
|
||||||
|
_log.error("OIDC token is null also in cache proxy, cannot continue!");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
|
||||||
|
.getConfiguration(request);
|
||||||
|
boolean isNotAuthorized = false;
|
||||||
|
int authorizationAttempts = 0;
|
||||||
|
do {
|
||||||
|
try {
|
||||||
|
if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) {
|
||||||
|
if (isNotAuthorized) {
|
||||||
|
_log.info(
|
||||||
|
"UMA token is not authorized with current OIDC token, "
|
||||||
|
+ "refreshing it to be sure that new grants are present. "
|
||||||
|
+ "[attempts: {}]",
|
||||||
|
authorizationAttempts);
|
||||||
|
} else if (scopeIsChanged) {
|
||||||
|
_log.info(
|
||||||
|
"Scope is changed, refreshing token to be sure that new grants are present");
|
||||||
|
} else if (authToken.isExpired()) {
|
||||||
|
_log.debug("OIDC token is expired, trying to refresh it [{}]",
|
||||||
|
authToken.getTokenEssentials());
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(),
|
||||||
|
authToken);
|
||||||
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
|
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
|
||||||
|
_log.warn("Error refreshing OIDC token, force redirecting to logut URI");
|
||||||
|
forceLogout(response);
|
||||||
|
} else {
|
||||||
|
_log.error("Refreshing OIDC token on server", e);
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
_log.debug("Setting refreshed OIDC token in cache proxy");
|
||||||
|
JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken);
|
||||||
|
}
|
||||||
|
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
|
||||||
|
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
|
||||||
|
authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
|
||||||
|
|
||||||
|
} catch (OpenIdConnectRESTHelperException e) {
|
||||||
|
if (e.hasJSONPayload()) {
|
||||||
|
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
|
||||||
|
if (FORCE_LOGOUT_ON_INVALID_OIDC) {
|
||||||
|
_log.warn("OIDC token is become invalid, forcing redirect to logout URI");
|
||||||
|
forceLogout(response);
|
||||||
|
} else {
|
||||||
|
_log.error("OIDC token is become invalid, cannot continue");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
} else if (OpenIdConnectRESTHelper
|
||||||
|
.isAccessDeniedNotAuthorizedError(e.getResponseString())) {
|
||||||
|
_log.info("UMA token is" + (isNotAuthorized ? " still" : "")
|
||||||
|
+ " not authorized with actual OIDC token");
|
||||||
|
|
||||||
|
isNotAuthorized = true;
|
||||||
|
authorizationAttempts += 1;
|
||||||
|
if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) {
|
||||||
|
_log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY
|
||||||
|
+ " ms and refreshing the OIDC");
|
||||||
|
try {
|
||||||
|
Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY);
|
||||||
|
} catch (InterruptedException ie) {
|
||||||
|
ie.printStackTrace();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
_log.warn("OIDC token refresh attempts exhausted");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
_log.error("Getting UMA token from server", e);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} while (isNotAuthorized);
|
||||||
|
}
|
||||||
|
_log.debug("Setting UMA token in cache proxy");
|
||||||
|
|
||||||
|
JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
_log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
|
_log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
|
||||||
|
|
||||||
|
@ -318,7 +276,7 @@ public class SmartGearsPortalValve extends ValveBase {
|
||||||
UmaJWTProvider.instance.set(umaToken.getRaw());
|
UmaJWTProvider.instance.set(umaToken.getRaw());
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void forceLogout(HttpSession session, HttpServletResponse response) {
|
protected void forceLogout(HttpServletResponse response) {
|
||||||
try {
|
try {
|
||||||
if (!response.isCommitted()) {
|
if (!response.isCommitted()) {
|
||||||
response.sendRedirect(LOGOUT_URI);
|
response.sendRedirect(LOGOUT_URI);
|
||||||
|
|
Loading…
Reference in New Issue