Remove the user of the session to store objects and rely on cache proxy only adding a mutex to avoid concurrency problems

This commit is contained in:
Mauro Mugnaini 2021-01-19 17:54:06 +01:00
parent 1a0f9b5086
commit fc18dda68e
1 changed files with 139 additions and 181 deletions

View File

@ -28,7 +28,6 @@ import org.gcube.oidc.rest.OpenIdConnectConfiguration;
import org.gcube.oidc.rest.OpenIdConnectRESTHelper; import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException; import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
import org.gcube.portal.oidc.lr62.JWTCacheProxy; import org.gcube.portal.oidc.lr62.JWTCacheProxy;
import org.gcube.portal.oidc.lr62.JWTTokenUtil;
import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration; import org.gcube.portal.oidc.lr62.LiferayOpenIdConnectConfiguration;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -115,14 +114,15 @@ public class SmartGearsPortalValve extends ValveBase {
_log.debug("Current PURet user null"); _log.debug("Current PURet user null");
} }
} }
JWTToken umaToken = null;
synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) {
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
if (session == null) { if (session == null) {
_log.debug("Session is null, cannot continue"); _log.debug("Session is null, cannot continue");
return; return;
} else {
_log.debug("Current session ID is {} and class instance is [{}]", session.getId(),
Integer.toHexString(session.hashCode()));
} }
String sessionId = session.getId();
_log.debug("Current session ID is {}", sessionId);
String urlEncodedScope = null; String urlEncodedScope = null;
try { try {
urlEncodedScope = URLEncoder.encode(scope, "UTF-8"); urlEncodedScope = URLEncoder.encode(scope, "UTF-8");
@ -133,30 +133,10 @@ public class SmartGearsPortalValve extends ValveBase {
} }
_log.debug("URL encoded scope is: {}", urlEncodedScope); _log.debug("URL encoded scope is: {}", urlEncodedScope);
_log.trace("Getting UMA token from session {} [{}]", session.getId(), Integer.toHexString(session.hashCode())); _log.trace("Getting UMA token for session {}", sessionId);
JWTToken umaToken = JWTTokenUtil.getUMAFromSession(session); umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId);
if (umaToken == null) {
_log.debug("UMA token not found in session. Trying to get it from cache proxy");
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
}
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) { if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
_log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials()); _log.trace("Current UMA token is OK [{}]", umaToken.getTokenEssentials());
if (JWTTokenUtil.getUMAFromSession(session) == null) {
_log.debug("Setting UMA token also in current session {} [{}]", session.getId(),
Integer.toHexString(session.hashCode()));
JWTTokenUtil.putUMAInSession(umaToken, session);
}
} else if (JWTCacheProxy.getInstance().getUMAToken(user, session) != null
&& !JWTCacheProxy.getInstance().getUMAToken(user, session).isExpired()
&& JWTCacheProxy.getInstance().getUMAToken(user, session).getAud().contains(urlEncodedScope)) {
_log.debug("Cache proxy already contains the suitable UMA token: {}", umaToken.getTokenEssentials());
_log.debug("Putting it also in session {} [{}] and using it", session.getId(),
Integer.toHexString(session.hashCode()));
umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
JWTTokenUtil.putUMAInSession(umaToken, session);
} else { } else {
if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) { if (umaToken != null && umaToken.getAud().contains(urlEncodedScope) && umaToken.isExpired()) {
_log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials()); _log.debug("UMA token is expired, trying to refresh it [{}]", umaToken.getTokenEssentials());
@ -165,17 +145,13 @@ public class SmartGearsPortalValve extends ValveBase {
try { try {
umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken); umaToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), umaToken);
_log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials()); _log.debug("Setting refreshed UMA token in cache proxy [{}]", umaToken.getTokenEssentials());
JWTCacheProxy.getInstance().setUMAToken(getCurrentUser(request), session, umaToken); JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
_log.debug("Setting refreshed UMA token in session {} [{}]", session.getId(),
Integer.toHexString(session.hashCode()));
JWTTokenUtil.putUMAInSession(umaToken, session);
} catch (OpenIdConnectRESTHelperException e) { } catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) { if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) { if (FORCE_LOGOUT_ON_INVALID_OIDC) {
_log.warn("OIDC token is become invalid, forcing redirect to logout URI"); _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.warn("OIDC token is become invalid, cannot continue"); _log.warn("OIDC token is become invalid, cannot continue");
} }
@ -187,15 +163,8 @@ public class SmartGearsPortalValve extends ValveBase {
_log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e); _log.error("Refreshing UMA token on server [" + umaToken.getTokenEssentials() + "]", e);
} }
umaToken = null; umaToken = null;
_log.info("Removing probably inactive OIDC token from session {} [{}}", session.getId(), _log.info("Removing inactive UMA token from cache proxy if present");
Integer.toHexString(session.hashCode())); JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
JWTTokenUtil.removeOIDCFromSession(session);
_log.info("Removing all inactive UMA token from session {} [{}] and from cache proxy if present",
session.getId(), Integer.toHexString(session.hashCode()));
JWTTokenUtil.removeUMAFromSession(session);
JWTCacheProxy.getInstance().removeUMAToken(user, session);
} }
} }
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
@ -207,30 +176,21 @@ public class SmartGearsPortalValve extends ValveBase {
_log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]", _log.info("Getting new UMA for scope {} since it has been issued for another scope [{}]",
urlEncodedScope, umaToken.getTokenEssentials()); urlEncodedScope, umaToken.getTokenEssentials());
} }
_log.debug("Getting OIDC token from session {} [{}]", session.getId(), _log.debug("Getting OIDC token from cache proxy");
Integer.toHexString(session.hashCode()));
JWTToken authToken = JWTTokenUtil.getOIDCFromSession(session); JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId);
if (authToken == null) {
_log.debug("OIDC token not found in session. Trying to get it from cache proxy");
authToken = JWTCacheProxy.getInstance().getOIDCToken(user, session);
if (authToken == null) { if (authToken == null) {
_log.info("OIDC token is null also in cache proxy"); _log.info("OIDC token is null also in cache proxy");
if (FORCE_LOGOUT_ON_MISSING_OIDC) { if (FORCE_LOGOUT_ON_MISSING_OIDC) {
_log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI"); _log.warn("OIDC token is null also in cache proxy, force redirecting to logut URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.error("OIDC token is null also in cache proxy, cannot continue!"); _log.error("OIDC token is null also in cache proxy, cannot continue!");
} }
return; return;
} else {
_log.debug("Setting OIDC token took from cache proxy in session {} [{}}", session.getId(),
Integer.toHexString(session.hashCode()));
JWTTokenUtil.putOIDCInSession(authToken, session);
} }
} OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration
OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); .getConfiguration(request);
boolean isNotAuthorized = false; boolean isNotAuthorized = false;
int authorizationAttempts = 0; int authorizationAttempts = 0;
do { do {
@ -255,15 +215,14 @@ public class SmartGearsPortalValve extends ValveBase {
} catch (OpenIdConnectRESTHelperException e) { } catch (OpenIdConnectRESTHelperException e) {
if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) { if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
_log.warn("Error refreshing OIDC token, force redirecting to logut URI"); _log.warn("Error refreshing OIDC token, force redirecting to logut URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.error("Refreshing OIDC token on server", e); _log.error("Refreshing OIDC token on server", e);
} }
return; return;
} }
_log.debug("Setting refreshed OIDC token in cache proxy and session"); _log.debug("Setting refreshed OIDC token in cache proxy");
JWTCacheProxy.getInstance().setOIDCToken(user, session, authToken); JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken);
JWTTokenUtil.putOIDCInSession(authToken, session);
} }
_log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
@ -274,7 +233,7 @@ public class SmartGearsPortalValve extends ValveBase {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) { if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
if (FORCE_LOGOUT_ON_INVALID_OIDC) { if (FORCE_LOGOUT_ON_INVALID_OIDC) {
_log.warn("OIDC token is become invalid, forcing redirect to logout URI"); _log.warn("OIDC token is become invalid, forcing redirect to logout URI");
forceLogout(session, response); forceLogout(response);
} else { } else {
_log.error("OIDC token is become invalid, cannot continue"); _log.error("OIDC token is become invalid, cannot continue");
} }
@ -306,11 +265,10 @@ public class SmartGearsPortalValve extends ValveBase {
} }
} while (isNotAuthorized); } while (isNotAuthorized);
} }
_log.debug("Setting UMA token in cache proxy and in session {} [{}]", session.getId(), _log.debug("Setting UMA token in cache proxy");
Integer.toHexString(session.hashCode()));
JWTCacheProxy.getInstance().setUMAToken(user, session, umaToken); JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
JWTTokenUtil.putUMAInSession(umaToken, session); }
} }
_log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials()); _log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
@ -318,7 +276,7 @@ public class SmartGearsPortalValve extends ValveBase {
UmaJWTProvider.instance.set(umaToken.getRaw()); UmaJWTProvider.instance.set(umaToken.getRaw());
} }
protected void forceLogout(HttpSession session, HttpServletResponse response) { protected void forceLogout(HttpServletResponse response) {
try { try {
if (!response.isCommitted()) { if (!response.isCommitted()) {
response.sendRedirect(LOGOUT_URI); response.sendRedirect(LOGOUT_URI);