/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

package io.undertow.security.handlers;

import io.undertow.security.api.AuthenticatedSessionManager;
import io.undertow.security.api.AuthenticatedSessionManager.AuthenticatedSession;
import io.undertow.security.api.NotificationReceiver;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.api.SecurityNotification;
import io.undertow.security.api.SecurityNotification.EventType;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.session.Session;
import io.undertow.server.session.SessionConfig;
import io.undertow.server.session.SessionManager;

HttpHandler responsible for setting up the AuthenticatedSessionManager for cached authentications and registering a NotificationReceiver to receive the security notifications.

This handler also forces the session to change its session ID on sucessful authentication.

Author:Darran Lofthouse
/** * {@link HttpHandler} responsible for setting up the {@link AuthenticatedSessionManager} for cached authentications and * registering a {@link NotificationReceiver} to receive the security notifications. * <p> * This handler also forces the session to change its session ID on sucessful authentication. * * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a> */
public class CachedAuthenticatedSessionHandler implements HttpHandler { public static final String ATTRIBUTE_NAME = CachedAuthenticatedSessionHandler.class.getName() + ".AuthenticatedSession"; public static final String NO_ID_CHANGE_REQUIRED = CachedAuthenticatedSessionHandler.class.getName() + ".NoIdChangeRequired"; private final NotificationReceiver NOTIFICATION_RECEIVER = new SecurityNotificationReceiver(); private final AuthenticatedSessionManager SESSION_MANAGER = new ServletAuthenticatedSessionManager(); private final HttpHandler next; public CachedAuthenticatedSessionHandler(final HttpHandler next) { this.next = next; } @Override public void handleRequest(HttpServerExchange exchange) throws Exception { SecurityContext securityContext = exchange.getSecurityContext(); securityContext.registerNotificationReceiver(NOTIFICATION_RECEIVER); SessionManager sessionManager = exchange.getAttachment(SessionManager.ATTACHMENT_KEY); SessionConfig sessionConfig = exchange.getAttachment(SessionConfig.ATTACHMENT_KEY); if (sessionManager == null || sessionConfig == null) { next.handleRequest(exchange); return; } Session session = sessionManager.getSession(exchange, sessionConfig); // If there was no existing HttpSession then there could not be a cached AuthenticatedSession so don't bother setting // the AuthenticatedSessionManager. if (session != null) { exchange.putAttachment(AuthenticatedSessionManager.ATTACHMENT_KEY, SESSION_MANAGER); } next.handleRequest(exchange); } private class SecurityNotificationReceiver implements NotificationReceiver { @Override public void handleNotification(SecurityNotification notification) { EventType eventType = notification.getEventType(); HttpServerExchange exchange = notification.getExchange(); SessionManager sessionManager = exchange.getAttachment(SessionManager.ATTACHMENT_KEY); SessionConfig sessionConfig = exchange.getAttachment(SessionConfig.ATTACHMENT_KEY); if (sessionManager == null || sessionConfig == null) { return; } Session httpSession = sessionManager.getSession(exchange, sessionConfig); switch (eventType) { case AUTHENTICATED: if (isCacheable(notification)) { if (httpSession == null) { httpSession = sessionManager.createSession(exchange, sessionConfig); } // It is normal for this notification to be received when using a previously cached session - in that // case the IDM would have been given an opportunity to re-load the Account so updating here ready for // the next request is desired. httpSession.setAttribute(ATTRIBUTE_NAME, new AuthenticatedSession(notification.getAccount(), notification.getMechanism())); } break; case LOGGED_OUT: if (httpSession != null) { httpSession.removeAttribute(ATTRIBUTE_NAME); httpSession.removeAttribute(NO_ID_CHANGE_REQUIRED); } break; } } } private static class ServletAuthenticatedSessionManager implements AuthenticatedSessionManager { @Override public AuthenticatedSession lookupSession(HttpServerExchange exchange) { SessionManager sessionManager = exchange.getAttachment(SessionManager.ATTACHMENT_KEY); SessionConfig sessionConfig = exchange.getAttachment(SessionConfig.ATTACHMENT_KEY); if (sessionManager == null || sessionConfig == null) { return null; } Session httpSession = sessionManager.getSession(exchange, sessionConfig); if (httpSession != null) { return (AuthenticatedSession) httpSession.getAttribute(ATTRIBUTE_NAME); } return null; } @Override public void clearSession(HttpServerExchange exchange) { SessionManager sessionManager = exchange.getAttachment(SessionManager.ATTACHMENT_KEY); SessionConfig sessionConfig = exchange.getAttachment(SessionConfig.ATTACHMENT_KEY); if (sessionManager == null || sessionConfig == null) { return; } Session httpSession = sessionManager.getSession(exchange, sessionConfig); if (httpSession != null) { httpSession.removeAttribute(ATTRIBUTE_NAME); } } } private boolean isCacheable(final SecurityNotification notification) { return notification.isProgramatic() || notification.isCachingRequired(); } }