public void generateToken(UserDto user, HttpServletRequest request, HttpServletResponse response) { generateToken(user, Collections.emptyMap(), request, response); }
public Optional<UserDto> validateToken(HttpServletRequest request, HttpServletResponse response) { Optional<Token> token = getToken(request, response); if (token.isPresent()) { return Optional.of(token.get().getUserDto()); } return Optional.empty(); }
private void logout(HttpServletRequest request, HttpServletResponse response) { generateAuthenticationEvent(request, response); jwtHttpHandler.removeToken(request, response); }
public Optional<Token> getToken(HttpServletRequest request, HttpServletResponse response) { Optional<String> encodedToken = getTokenFromCookie(request); if (!encodedToken.isPresent()) { return Optional.empty(); } return validateToken(encodedToken.get(), request, response); }
private Optional<Token> validateToken(String tokenEncoded, HttpServletRequest request, HttpServletResponse response) { Optional<Claims> claims = jwtSerializer.decode(tokenEncoded); if (!claims.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); Claims token = claims.get(); if (now.after(addSeconds(token.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) { return Optional.empty(); } jwtCsrfVerifier.verifyState(request, (String) token.get(CSRF_JWT_PARAM), token.getSubject()); if (now.after(addSeconds(getLastRefreshDate(token), SESSION_REFRESH_IN_SECONDS))) { refreshToken(token, request, response); } Optional<UserDto> user = selectUserFromUuid(token.getSubject()); if (!user.isPresent()) { return Optional.empty(); } return Optional.of(new Token(user.get(), claims.get())); }
private boolean authenticate(HttpServletRequest request, HttpServletResponse response) { try { Optional<UserDto> user = jwtHttpHandler.validateToken(request, response); if (user.isPresent()) { return true; } user = basicAuthentication.authenticate(request); if (user.isPresent()) { return true; } return !config.getBoolean(CORE_FORCE_AUTHENTICATION_PROPERTY).orElse(false); } catch (AuthenticationException e) { return false; } }
@Test public void generate_auth_event_on_failure() throws Exception { setUser(USER); AuthenticationException exception = AuthenticationException.newBuilder().setMessage("error!").setSource(sso()).build(); doThrow(exception).when(jwtHttpHandler).getToken(any(HttpServletRequest.class), any(HttpServletResponse.class)); executeRequest(); verify(authenticationEvent).logoutFailure(request, "error!"); verify(jwtHttpHandler).removeToken(any(HttpServletRequest.class), any(HttpServletResponse.class)); verifyZeroInteractions(chain); }
@Test public void session_timeout_property_cannot_be_updated() { UserDto user = db.users().insertUser(); int firstSessionTimeoutInMinutes = 10; settings.setProperty("sonar.web.sessionTimeoutInMinutes", firstSessionTimeoutInMinutes); underTest = new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier); underTest.generateToken(user, request, response); // The property is updated, but it won't be taking into account settings.setProperty("sonar.web.sessionTimeoutInMinutes", 15); underTest.generateToken(user, request, response); verify(jwtSerializer, times(2)).encode(jwtArgumentCaptor.capture()); verifyToken(jwtArgumentCaptor.getAllValues().get(0), user,firstSessionTimeoutInMinutes * 60, NOW); verifyToken(jwtArgumentCaptor.getAllValues().get(1), user, firstSessionTimeoutInMinutes * 60, NOW); }
private Optional<Token> validateToken(String tokenEncoded, HttpServletRequest request, HttpServletResponse response) { Optional<Claims> claims = jwtSerializer.decode(tokenEncoded); if (!claims.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); Claims token = claims.get(); if (now.after(addSeconds(token.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) { return Optional.empty(); } jwtCsrfVerifier.verifyState(request, (String) token.get(CSRF_JWT_PARAM), token.getSubject()); if (now.after(addSeconds(getLastRefreshDate(token), SESSION_REFRESH_IN_SECONDS))) { refreshToken(token, request, response); } Optional<UserDto> user = selectUserFromDb(token.getSubject()); if (!user.isPresent()) { return Optional.empty(); } return Optional.of(new Token(user.get(), claims.get())); }
public void removeToken(HttpServletRequest request, HttpServletResponse response) { response.addCookie(createCookie(request, JWT_COOKIE, null, 0)); jwtCsrfVerifier.removeState(request, response); }
public JwtHttpHandler(System2 system2, DbClient dbClient, Configuration config, JwtSerializer jwtSerializer, JwtCsrfVerifier jwtCsrfVerifier) { this.jwtSerializer = jwtSerializer; this.dbClient = dbClient; this.system2 = system2; this.sessionTimeoutInSeconds = getSessionTimeoutInSeconds(config); this.jwtCsrfVerifier = jwtCsrfVerifier; }
private Optional<UserDto> loadUser(HttpServletRequest request, HttpServletResponse response) { // Try first to authenticate from SSO, then JWT token, then try from basic http header // SSO authentication should come first in order to update JWT if user from header is not the same is user from JWT Optional<UserDto> user = httpHeadersAuthentication.authenticate(request, response); if (user.isPresent()) { return user; } user = jwtHttpHandler.validateToken(request, response); if (user.isPresent()) { return user; } return basicAuthentication.authenticate(request); } }
public Optional<Token> getToken(HttpServletRequest request, HttpServletResponse response) { Optional<String> encodedToken = getTokenFromCookie(request); if (!encodedToken.isPresent()) { return Optional.empty(); } return validateToken(encodedToken.get(), request, response); }
@Test public void generate_token_is_using_session_timeout_from_settings() { UserDto user = db.users().insertUser(); int sessionTimeoutInMinutes = 10; settings.setProperty("sonar.web.sessionTimeoutInMinutes", sessionTimeoutInMinutes); underTest = new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier); underTest.generateToken(user, request, response); verify(jwtSerializer).encode(jwtArgumentCaptor.capture()); verifyToken(jwtArgumentCaptor.getValue(), user, sessionTimeoutInMinutes * 60, NOW); }
public void generateToken(UserDto user, Map<String, Object> properties, HttpServletRequest request, HttpServletResponse response) { String csrfState = jwtCsrfVerifier.generateState(request, response, sessionTimeoutInSeconds); String token = jwtSerializer.encode(new JwtSerializer.JwtSession( user.getUuid(), sessionTimeoutInSeconds, ImmutableMap.<String, Object>builder() .putAll(properties) .put(LAST_REFRESH_TIME_PARAM, system2.now()) .put(CSRF_JWT_PARAM, csrfState) .build())); response.addCookie(createCookie(request, JWT_COOKIE, token, sessionTimeoutInSeconds)); }
public JwtHttpHandler(System2 system2, DbClient dbClient, Configuration config, JwtSerializer jwtSerializer, JwtCsrfVerifier jwtCsrfVerifier) { this.jwtSerializer = jwtSerializer; this.dbClient = dbClient; this.system2 = system2; this.sessionTimeoutInSeconds = getSessionTimeoutInSeconds(config); this.jwtCsrfVerifier = jwtCsrfVerifier; }
@Test public void validate_token_does_nothing_when_no_jwt_cookie() { underTest.validateToken(request, response); verifyZeroInteractions(httpSession, jwtSerializer); assertThat(underTest.validateToken(request, response).isPresent()).isFalse(); }
private void verifyTokenIsUpdated(long refreshTime) { verify(jwtHttpHandler).generateToken(any(UserDto.class), eq(ImmutableMap.of("ssoLastRefreshTime", refreshTime)), any(HttpServletRequest.class), any(HttpServletResponse.class)); }
private Optional<UserDto> getUserFromToken(HttpServletRequest request, HttpServletResponse response) { Optional<JwtHttpHandler.Token> token = jwtHttpHandler.getToken(request, response); if (!token.isPresent()) { return Optional.empty(); } Date now = new Date(system2.now()); int refreshIntervalInMinutes = Integer.parseInt(settingsByKey.get(SONAR_WEB_SSO_REFRESH_INTERVAL_IN_MINUTES.getKey())); Long lastFreshTime = (Long) token.get().getProperties().get(LAST_REFRESH_TIME_TOKEN_PARAM); if (lastFreshTime == null || now.after(addMinutes(new Date(lastFreshTime), refreshIntervalInMinutes))) { return Optional.empty(); } return Optional.of(token.get().getUserDto()); }
@Test public void logout_unlogged_user() throws Exception { setNoUser(); executeRequest(); verify(jwtHttpHandler).removeToken(request, response); verifyZeroInteractions(chain); verify(authenticationEvent).logoutSuccess(request, null); }