diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index 5cb5778..496307a 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -25,6 +25,7 @@ import org.gcube.common.scope.api.ScopeProvider; import org.gcube.oidc.rest.JWTToken; import org.gcube.oidc.rest.OpenIdConnectConfiguration; import org.gcube.oidc.rest.OpenIdConnectRESTHelper; +import org.gcube.oidc.rest.OpenIdConnectRESTHelperException; import org.gcube.portal.oidc.lr62.JWTCacheProxy; import org.gcube.portal.oidc.lr62.JWTTokenUtil; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; @@ -83,10 +84,17 @@ public class SmartGearsPortalValve extends ValveBase { getNext().invoke(req, resp); } - private void checkUMATicket(HttpServletRequest request, String scope) { + private synchronized void checkUMATicket(HttpServletRequest request, String scope) { + _log.debug("Getting current user"); + User user = getCurrentUser(request); + if (user == null) { + // Almost impossible + _log.error("Current user not found, cannot continue"); + return; + } HttpSession session = request.getSession(false); if (session == null) { - _log.debug("Session is null"); + _log.debug("Session is null, cannot continue"); return; } String urlEncodedScope = null; @@ -97,101 +105,96 @@ public class SmartGearsPortalValve extends ValveBase { return; } _log.debug("URL encoded scope is: {}", urlEncodedScope); - _log.debug("Getting UMA token from session"); + _log.trace("Getting UMA token from session: {}", session); JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); if (umaToken == null) { - _log.debug("UMA token not found in session"); - - _log.debug("Getting current user"); - User user = getCurrentUser(request); - if (user == null) { - // Almost impossible - _log.error("Current user not found, cannot continue"); - return; - } - _log.debug("Trying to get UMA token from cache proxy"); + _log.debug("UMA token not found in session. Trying to get it from cache proxy"); umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); } - if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { - boolean scopeIsChanged = false; - if (umaToken == null) { - _log.debug("UMA token is null. Getting new one..."); - } else { - scopeIsChanged = true; - _log.info("UMA token has been issued for another scope (" + umaToken.getAud() - + "). Getting new one for scope: " + urlEncodedScope); - } - _log.debug("Getting current user"); - User user = getCurrentUser(request); - if (user == null) { - // Almost impossible - _log.error("Current user not found, cannot continue"); - return; - } - _log.debug("Getting OIDC token from session"); - JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); - if (authToken == null) { - _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); - authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); - if (authToken == null) { - _log.warn("OIDC token is null also in cache proxy, cannot continue!"); - return; - } else { - _log.debug("Setting OIDC token took from cache proxy in session"); - JWTTokenUtil.putOIDCInSession(authToken, session); - } - } - OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); - try { - if (scopeIsChanged || authToken.isExpired()) { - if (scopeIsChanged) { - _log.info("Scope is changed, refreshing token to be sure that new grants are present"); - } else { - _log.debug("OIDC token is expired, refreshing it"); - } - try { - authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken); - } catch (Exception e) { - _log.error("Refreshing OIDC token on server", e); - return; - } - _log.debug("Setting refreshed OIDC token in cache proxy"); - JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); - _log.debug("Setting refreshed OIDC token in session"); - JWTTokenUtil.putOIDCInSession(authToken, session); - } - _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); - umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), - authToken.getAccessTokenAsBearer(), urlEncodedScope, null); - } catch (Exception e) { - _log.error("Getting UMA token from server", e); - return; - } - _log.debug("Setting UMA token in cache proxy"); - JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); - _log.debug("Setting UMA token in session"); - JWTTokenUtil.putUMAInSession(umaToken, session); - } else { - if (umaToken.isExpired()) { - _log.debug("UMA token is expired, refreshing it"); - OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); - try { - umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); - } catch (Exception e) { - _log.error("Refreshing UMA token on server", e); - return; - } - _log.debug("Setting refreshed UMA token in cache proxy"); - JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); - _log.debug("Setting refreshed UMA token in session"); - JWTTokenUtil.putUMAInSession(umaToken, session); - } else if (JWTTokenUtil.getUMAFromSession(session) == null) { + if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { + if (JWTTokenUtil.getUMAFromSession(session) == null) { _log.debug("Setting UMA token in session"); JWTTokenUtil.putUMAInSession(umaToken, session); } + } else { + if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { + _log.debug("UMA token is expired, trying to refresh it"); + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); + try { + umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); + _log.debug("Setting refreshed UMA token in cache proxy"); + JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); + _log.debug("Setting refreshed UMA token in session"); + JWTTokenUtil.putUMAInSession(umaToken, session); + } catch (OpenIdConnectRESTHelperException e) { + if (e.hasJSONPayload() && OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) { + _log.info("UMA token is no more active, get new one"); + } else { + _log.warn("Refreshing UMA token on server", e); + } + umaToken = null; + _log.info("Removing probably inactive OIDC token from session"); + JWTTokenUtil.removeOIDCFromSession(session); + _log.info("Removing all inactive UMA token from session and from cache proxy if present"); + JWTTokenUtil.removeUMAFromSession(session); + JWTCacheProxy.getInstance().removeUMAToken(user, session); + } + } + if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { + boolean scopeIsChanged = false; + if (umaToken == null) { + _log.debug("Getting new UMA token for scope {}", urlEncodedScope); + } else if (umaToken.getAud().contains(urlEncodedScope)) { + scopeIsChanged = true; + _log.info("UMA token has been issued for another scope ({}). Getting new one for scope: {}", + umaToken.getAud(), urlEncodedScope); + } + _log.debug("Getting OIDC token from session"); + JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); + if (authToken == null) { + _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); + authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); + if (authToken == null) { + _log.warn("OIDC token is null also in cache proxy, cannot continue!"); + return; + } else { + _log.debug("Setting OIDC token took from cache proxy in session"); + JWTTokenUtil.putOIDCInSession(authToken, session); + } + } + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); + try { + if (scopeIsChanged || authToken.isExpired()) { + if (scopeIsChanged) { + _log.info("Scope is changed, refreshing token to be sure that new grants are present"); + } else { + _log.debug("OIDC token is expired, refreshing it"); + } + try { + authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken); + } catch (OpenIdConnectRESTHelperException e) { + _log.error("Refreshing OIDC token on server", e); + // TODO check if a session not active token and consider if force redirect to /c/portal/logout + return; + } + _log.debug("Setting refreshed OIDC token in cache proxy and in session"); + JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); + JWTTokenUtil.putOIDCInSession(authToken, session); + } + _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); + umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), + authToken.getAccessTokenAsBearer(), urlEncodedScope, null); + } catch (OpenIdConnectRESTHelperException e) { + _log.error("Getting UMA token from server", e); + return; + } + } + _log.debug("Setting UMA token in cache proxy and in session"); + JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); + JWTTokenUtil.putUMAInSession(umaToken, session); } - _log.debug("Current UMA token audience is: {}", umaToken.getAud()); + _log.trace("Current UMA token audience is: {}", umaToken.getAud()); _log.debug("Setting UMA token in UMA JWT provider"); UmaJWTProvider.instance.set(umaToken.getRaw());