From fc18dda68e8915f8372c059a67b272d82ba07adf Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Tue, 19 Jan 2021 17:54:06 +0100 Subject: [PATCH] Remove the user of the session to store objects and rely on cache proxy only adding a mutex to avoid concurrency problems --- .../SmartGearsPortalValve.java | 320 ++++++++---------- 1 file changed, 139 insertions(+), 181 deletions(-) diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index ae2c1aa..834e1aa 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -28,7 +28,6 @@ import org.gcube.oidc.rest.OpenIdConnectConfiguration; import org.gcube.oidc.rest.OpenIdConnectRESTHelper; import org.gcube.oidc.rest.OpenIdConnectRESTHelperException; import org.gcube.portal.oidc.lr62.JWTCacheProxy; -import org.gcube.portal.oidc.lr62.JWTTokenUtil; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -115,202 +114,161 @@ public class SmartGearsPortalValve extends ValveBase { _log.debug("Current PURet user null"); } } - HttpSession session = request.getSession(false); - if (session == null) { - _log.debug("Session is null, cannot continue"); - return; - } else { - _log.debug("Current session ID is {} and class instance is [{}]", session.getId(), - Integer.toHexString(session.hashCode())); - } - String urlEncodedScope = null; - try { - urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); - } catch (UnsupportedEncodingException e) { - // Almost impossible - _log.error("Cannot URL encode scope", e); - return; - } - _log.debug("URL encoded scope is: {}", urlEncodedScope); - - _log.trace("Getting UMA token from session {} [{}]", session.getId(), Integer.toHexString(session.hashCode())); - JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); - if (umaToken == null) { - _log.debug("UMA token not found in session. Trying to get it from cache proxy"); - umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); - } - if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { - _log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials()); - if (JWTTokenUtil.getUMAFromSession(session) == null) { - _log.debug("Setting UMA token also in current session {} [{}]", session.getId(), - Integer.toHexString(session.hashCode())); - - JWTTokenUtil.putUMAInSession(umaToken, session); + JWTToken umaToken = null; + synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) { + HttpSession session = request.getSession(false); + if (session == null) { + _log.debug("Session is null, cannot continue"); + return; } - } else if (JWTCacheProxy.getInstance().getUMAToken(user, session) != null - && !JWTCacheProxy.getInstance().getUMAToken(user, session).isExpired() - && JWTCacheProxy.getInstance().getUMAToken(user, session).getAud().contains(urlEncodedScope)) { - - _log.debug("Cache proxy already contains the suitable UMA token: {}", umaToken.getTokenEssentials()); - _log.debug("Putting it also in session {} [{}] and using it", session.getId(), - Integer.toHexString(session.hashCode())); - - umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); - JWTTokenUtil.putUMAInSession(umaToken, session); - } else { - if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { - _log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials()); - OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration - .getConfiguration(request); - try { - umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); - _log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials()); - JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); - _log.debug("Setting refreshed UMA token in session {} [{}]", session.getId(), - Integer.toHexString(session.hashCode())); - - JWTTokenUtil.putUMAInSession(umaToken, session); - } catch (OpenIdConnectRESTHelperException e) { - if (e.hasJSONPayload()) { - if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { - if (FORCE_LOGOUT_ON_INVALID_OIDC) { - _log.warn("OIDC token is become invalid, forcing redirect to logout URI"); - forceLogout(session, response); - } else { - _log.warn("OIDC token is become invalid, cannot continue"); - } - return; - } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) { - _log.info("UMA token is no more active, get new one"); - } - } else { - _log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e); - } - umaToken = null; - _log.info("Removing probably inactive OIDC token from session {} [{}}", session.getId(), - Integer.toHexString(session.hashCode())); - - JWTTokenUtil.removeOIDCFromSession(session); - _log.info("Removing all inactive UMA token from session {} [{}] and from cache proxy if present", - session.getId(), Integer.toHexString(session.hashCode())); - - JWTTokenUtil.removeUMAFromSession(session); - JWTCacheProxy.getInstance().removeUMAToken(user, session); - } + String sessionId = session.getId(); + _log.debug("Current session ID is {}", sessionId); + String urlEncodedScope = null; + try { + urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); + } catch (UnsupportedEncodingException e) { + // Almost impossible + _log.error("Cannot URL encode scope", e); + return; } - if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { - boolean scopeIsChanged = false; - if (umaToken == null) { - _log.debug("Getting new UMA token for scope {}", urlEncodedScope); - } else if (!umaToken.getAud().contains(urlEncodedScope)) { - scopeIsChanged = true; - _log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]", - urlEncodedScope, umaToken.getTokenEssentials()); - } - _log.debug("Getting OIDC token from session {} [{}]", session.getId(), - Integer.toHexString(session.hashCode())); + _log.debug("URL encoded scope is: {}", urlEncodedScope); - JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); - if (authToken == null) { - _log.debug("OIDC token not found in session. Trying to get it from cache proxy"); - authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session); - if (authToken == null) { - _log.info("OIDC token is null also in cache proxy"); - if (FORCE_LOGOUT_ON_MISSING_OIDC) { - _log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI"); - forceLogout(session, response); - } else { - _log.error("OIDC token is null also in cache proxy, cannot continue!"); - } - return; - } else { - _log.debug("Setting OIDC token took from cache proxy in session {} [{}}", session.getId(), - Integer.toHexString(session.hashCode())); - - JWTTokenUtil.putOIDCInSession(authToken, session); - } - } - OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); - boolean isNotAuthorized = false; - int authorizationAttempts = 0; - do { + _log.trace("Getting UMA token for session {}", sessionId); + umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId); + if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { + _log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials()); + } else { + if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { + _log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials()); + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration + .getConfiguration(request); try { - if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) { - if (isNotAuthorized) { - _log.info( - "UMA token is not authorized with current OIDC token, " - + "refreshing it to be sure that new grants are present. " - + "[attempts: {}]", - authorizationAttempts); - } else if (scopeIsChanged) { - _log.info( - "Scope is changed, refreshing token to be sure that new grants are present"); - } else if (authToken.isExpired()) { - _log.debug("OIDC token is expired, trying to refresh it [{}]", - authToken.getTokenEssentials()); - } - try { - authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), - authToken); - } catch (OpenIdConnectRESTHelperException e) { - if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) { - _log.warn("Error refreshing OIDC token, force redirecting to logut URI"); - forceLogout(session, response); - } else { - _log.error("Refreshing OIDC token on server", e); - } - return; - } - _log.debug("Setting refreshed OIDC token in cache proxy and session"); - JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); - JWTTokenUtil.putOIDCInSession(authToken, session); - } - _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); - umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), - authToken.getAccessTokenAsBearer(), urlEncodedScope, null); - + umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); + _log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials()); + JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken); } catch (OpenIdConnectRESTHelperException e) { if (e.hasJSONPayload()) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (FORCE_LOGOUT_ON_INVALID_OIDC) { _log.warn("OIDC token is become invalid, forcing redirect to logout URI"); - forceLogout(session, response); + forceLogout(response); } else { - _log.error("OIDC token is become invalid, cannot continue"); + _log.warn("OIDC token is become invalid, cannot continue"); } return; - } else if (OpenIdConnectRESTHelper - .isAccessDeniedNotAuthorizedError(e.getResponseString())) { - _log.info("UMA token is" + (isNotAuthorized ? " still" : "") - + " not authorized with actual OIDC token"); - - isNotAuthorized = true; - authorizationAttempts += 1; - if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) { - _log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY - + " ms and refreshing the OIDC"); - try { - Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY); - } catch (InterruptedException ie) { - ie.printStackTrace(); - } - } else { - _log.warn("OIDC token refresh attempts exhausted"); - return; - } + } else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) { + _log.info("UMA token is no more active, get new one"); } } else { - _log.error("Getting UMA token from server", e); - return; + _log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e); } + umaToken = null; + _log.info("Removing inactive UMA token from cache proxy if present"); + JWTCacheProxy.getInstance().removeUMAToken(user, sessionId); } - } while (isNotAuthorized); - } - _log.debug("Setting UMA token in cache proxy and in session {} [{}]", session.getId(), - Integer.toHexString(session.hashCode())); + } + if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { + boolean scopeIsChanged = false; + if (umaToken == null) { + _log.debug("Getting new UMA token for scope {}", urlEncodedScope); + } else if (!umaToken.getAud().contains(urlEncodedScope)) { + scopeIsChanged = true; + _log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]", + urlEncodedScope, umaToken.getTokenEssentials()); + } + _log.debug("Getting OIDC token from cache proxy"); - JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); - JWTTokenUtil.putUMAInSession(umaToken, session); + JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId); + if (authToken == null) { + _log.info("OIDC token is null also in cache proxy"); + if (FORCE_LOGOUT_ON_MISSING_OIDC) { + _log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI"); + forceLogout(response); + } else { + _log.error("OIDC token is null also in cache proxy, cannot continue!"); + } + return; + } + OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration + .getConfiguration(request); + boolean isNotAuthorized = false; + int authorizationAttempts = 0; + do { + try { + if (isNotAuthorized || scopeIsChanged || authToken.isExpired()) { + if (isNotAuthorized) { + _log.info( + "UMA token is not authorized with current OIDC token, " + + "refreshing it to be sure that new grants are present. " + + "[attempts: {}]", + authorizationAttempts); + } else if (scopeIsChanged) { + _log.info( + "Scope is changed, refreshing token to be sure that new grants are present"); + } else if (authToken.isExpired()) { + _log.debug("OIDC token is expired, trying to refresh it [{}]", + authToken.getTokenEssentials()); + } + try { + authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), + authToken); + } catch (OpenIdConnectRESTHelperException e) { + if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) { + _log.warn("Error refreshing OIDC token, force redirecting to logut URI"); + forceLogout(response); + } else { + _log.error("Refreshing OIDC token on server", e); + } + return; + } + _log.debug("Setting refreshed OIDC token in cache proxy"); + JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken); + } + _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); + umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), + authToken.getAccessTokenAsBearer(), urlEncodedScope, null); + + } catch (OpenIdConnectRESTHelperException e) { + if (e.hasJSONPayload()) { + if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { + if (FORCE_LOGOUT_ON_INVALID_OIDC) { + _log.warn("OIDC token is become invalid, forcing redirect to logout URI"); + forceLogout(response); + } else { + _log.error("OIDC token is become invalid, cannot continue"); + } + return; + } else if (OpenIdConnectRESTHelper + .isAccessDeniedNotAuthorizedError(e.getResponseString())) { + _log.info("UMA token is" + (isNotAuthorized ? " still" : "") + + " not authorized with actual OIDC token"); + + isNotAuthorized = true; + authorizationAttempts += 1; + if (authorizationAttempts <= MAX_AUTHORIZATION_RETRY_ATTEMPTS) { + _log.debug("Sleeping " + AUTHORIZATION_RETRY_ATTEMPTS_DELAY + + " ms and refreshing the OIDC"); + try { + Thread.sleep(AUTHORIZATION_RETRY_ATTEMPTS_DELAY); + } catch (InterruptedException ie) { + ie.printStackTrace(); + } + } else { + _log.warn("OIDC token refresh attempts exhausted"); + return; + } + } + } else { + _log.error("Getting UMA token from server", e); + return; + } + } + } while (isNotAuthorized); + } + _log.debug("Setting UMA token in cache proxy"); + + JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken); + } } _log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials()); @@ -318,7 +276,7 @@ public class SmartGearsPortalValve extends ValveBase { UmaJWTProvider.instance.set(umaToken.getRaw()); } - protected void forceLogout(HttpSession session, HttpServletResponse response) { + protected void forceLogout(HttpServletResponse response) { try { if (!response.isCommitted()) { response.sendRedirect(LOGOUT_URI);