gh-5132 Fix missing session when AWS ALB does the code flow

Author: at055612

stroom-dropwizard-common/src/main/java/stroom/dropwizard/common/AuthenticationBypassCheckerImpl.java

@@ -33,7 +33,9 @@ void registerUnauthenticatedApiPath(final String path) {
     }
 
     @Override
-    public boolean isUnauthenticated(final String servletName, final String servletPath, final String fullPath) {
+    public boolean isUnauthenticated(final String servletName,
+                                     final String servletPath,
+                                     final String fullPath) {
         if (servletPath == null) {
             return false;
         } else {
@@ -49,8 +51,8 @@ public boolean isUnauthenticated(final String servletName, final String servletP
                 canBypassAuth = unauthenticatedServletNames.contains(servletName);
             }
 
-            LOGGER.debug("servletName: {}, servletPath: {}, canBypassAuth: {}",
-                    servletName, servletPath, canBypassAuth);
+            LOGGER.debug("isUnauthenticated() - servletName: {}, servletPath: {}, fullPath: {}, canBypassAuth: {}",
+                    servletName, servletPath, fullPath, canBypassAuth);
             return canBypassAuth;
         }
     }

stroom-security/stroom-security-common-impl/src/main/java/stroom/security/common/impl/JwtContextFactory.java

@@ -29,4 +29,5 @@ public interface JwtContextFactory {
      * like audience and subject only if doVerification is true.
      */
     Optional<JwtContext> getJwtContext(final String jwt, final boolean doVerification);
+
 }

stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SecurityFilter.java

@@ -136,25 +136,24 @@ private void filter(final HttpServletRequest request,
             chain.doFilter(request, response);
         } else if (isStaticResource(fullPath, servletPath, servletName)) {
             chain.doFilter(request, response);
+        } else if (shouldBypassAuthentication(request, fullPath, servletPath, servletName)) {
+            LOGGER.debug("Running as proc user for unauthenticated resource, servletName: {}, " +
+                         "fullPath: {}, servletPath: {}", servletName, fullPath, servletPath);
+            // Some paths don't need authentication. If that is the case then proceed as proc user.
+            securityContext.asProcessingUser(() ->
+                    process(request, response, chain));
         } else {
             // Api requests that are not from the front-end should have a token.
             // Also request from an AWS ALB will have an ALB signed token containing the claims
             // Need to do this first, so we get a fresh token from AWS ALB rather than using a stale
             // one from session.
             Optional<UserIdentity> optUserIdentity = openIdManager.loginWithRequestToken(request);
-
-            // Log current user.
-            if (LOGGER.isDebugEnabled()) {
-                logUserIdentityToDebug(
-                        optUserIdentity, fullPath, "after trying to login with request token");
-            }
+            logUserIdentityToDebug(optUserIdentity, fullPath, servletPath, "from request token");
 
             // If no user from header token, see if we have one in session already.
             if (optUserIdentity.isEmpty()) {
                 optUserIdentity = UserIdentitySessionUtil.get(SessionUtil.getExistingSession(request));
-                if (LOGGER.isDebugEnabled()) {
-                    logUserIdentityToDebug(optUserIdentity, fullPath, "from session");
-                }
+                logUserIdentityToDebug(optUserIdentity, fullPath, servletPath, "from session");
             }
 
             if (optUserIdentity.isPresent()) {
@@ -163,19 +162,20 @@ private void filter(final HttpServletRequest request,
                 // Now we have the session make note of the user-agent for logging and sessionListServlet duties
                 UserAgentSessionUtil.setUserAgentInSession(request);
 
+                // If OIDC code flow has been handled by the AWS ALB then the session won't have been
+                // created by our code flow code. Thus, ensure we have a session with the user in it
+                if (isStroomUIServlet(servletName)) {
+                    SessionUtil.getOrCreateSession(request, session -> {
+                        LOGGER.info("Creating session {} for user {}, fullPath: {}, servlet: {}",
+                                session.getId(), userIdentity, fullPath, servletName);
+                        UserIdentitySessionUtil.set(session, userIdentity);
+                    });
+                }
+
                 // Now handle the request as this user
                 securityContext.asUser(userIdentity, () ->
                         process(request, response, chain));
-
-            } else if (shouldBypassAuthentication(request, fullPath, servletPath, servletName)) {
-                LOGGER.debug("Running as proc user for unauthenticated servletName: {}, " +
-                             "fullPath: {}, servletPath: {}", servletName, fullPath, servletPath);
-                // Some paths don't need authentication. If that is the case then proceed as proc user.
-                securityContext.asProcessingUser(() ->
-                        process(request, response, chain));
-
-//            } else if (isApiRequest(servletPath)) {
-            } else if (Objects.equals(ResourcePaths.STROOM_SERVLET_NAME, servletName)) {
+            } else if (isStroomUIServlet(servletName)) {
                 doOpenIdFlow(request, response, fullPath);
             } else {
                 // If we couldn't log in with a token or couldn't get a token then error as this is an API call
@@ -187,6 +187,10 @@ private void filter(final HttpServletRequest request,
         }
     }
 
+    private boolean isStroomUIServlet(final String servletName) {
+        return Objects.equals(ResourcePaths.STROOM_SERVLET_NAME, servletName);
+    }
+
     private void doOpenIdFlow(final HttpServletRequest request,
                               final HttpServletResponse response,
                               final String fullPath) throws IOException {
@@ -245,8 +249,9 @@ private void doOpenIdFlow(final HttpServletRequest request,
     @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
     private void logUserIdentityToDebug(final Optional<UserIdentity> optUserIdentity,
                                         final String fullPath,
+                                        final String servletName,
                                         final String msg) {
-        LOGGER.debug("User identity ({}): {} path: {}",
+        LOGGER.debug(() -> LogUtil.message("User identity ({}): {}, fullPath: {}, servletName: {}",
                 msg,
                 optUserIdentity.map(
                                 identity -> {
@@ -258,7 +263,8 @@ private void logUserIdentityToDebug(final Optional<UserIdentity> optUserIdentity
                                             identity.getClass().getSimpleName());
                                 })
                         .orElse("<empty>"),
-                fullPath);
+                fullPath,
+                servletName));
     }
 
     private String getPostAuthRedirectUri(final HttpServletRequest request) {
@@ -298,17 +304,6 @@ private boolean shouldBypassAuthentication(final HttpServletRequest servletReque
         } else {
             shouldBypass = authenticationBypassChecker.isUnauthenticated(servletName, servletPath, fullPath);
         }
-
-        if (LOGGER.isDebugEnabled()) {
-            if (shouldBypass) {
-                LOGGER.debug("Bypassing authentication for servletName: {}, fullPath: {}, servletPath: {}",
-                        NullSafe.get(
-                                servletRequest.getHttpServletMapping(),
-                                HttpServletMapping::getServletName),
-                        fullPath,
-                        servletPath);
-            }
-        }
         return shouldBypass;
     }
 

stroom-util/src/main/java/stroom/util/servlet/SessionUtil.java

@@ -34,6 +34,11 @@ public static boolean requestHasSessionCookie(final HttpServletRequest request)
         return hasCookie;
     }
 
+    public static boolean hasSession(final HttpServletRequest request) {
+        return request.getSession(false) != null;
+    }
+
+
     /**
      * Gets the existing {@link HttpSession} or returns null if no session is present.
      * Does NOT create a session.

unreleased_changes/20250919_133650_510__5132.md

@@ -0,0 +1,60 @@
+* Issue **#5132** : Fix missing session when AWS ALB does the code flow.
+
+
+```sh
+# ********************************************************************************
+# Issue title: /stroom/sessionList is empty on 7.10.2
+# Issue link:  https://github.com/gchq/stroom/issues/5132
+# ********************************************************************************
+
+# ONLY the top line will be included as a change entry in the CHANGELOG.
+# The entry should be in GitHub flavour markdown and should be written on a SINGLE
+# line with no hard breaks. You can have multiple change files for a single GitHub issue.
+# The  entry should be written in the imperative mood, i.e. 'Fix nasty bug' rather than
+# 'Fixed nasty bug'.
+#
+# Examples of acceptable entries are:
+#
+#
+# * Issue **123** : Fix bug with an associated GitHub issue in this repository
+#
+# * Issue **namespace/other-repo#456** : Fix bug with an associated GitHub issue in another repository
+#
+# * Fix bug with no associated GitHub issue.
+
+
+# --------------------------------------------------------------------------------
+# The following is random text to make this file unique for git's change detection
+# 0OFaWWSfTLSoczakC5MFfSFrLeOaQcVELlisvohpCkViqq1RGA324pldl67yaM4UuyIg9R58n46LFBZ2
+# hJ9CTv1WQPyobhGNuSyJCUPGEVK8qY9bwCLAwuE29oHZSYWNQuvw4ygUH3wv9fH1lSPZxEKc9EAqRxn8
+# 7pYE8v7E1yfsmPCLHsmcatdYLbXjJX4M0I30y1J78zAkBJ3lAUk7Z2iQW90fMsB2daaduMfZmCanwXt8
+# CdW139qLO4O93DQeOPaJ4qTcUeQ7jUn10oRRF9cf5esL5PbGHzyC65hkQCbRhitXHAcZHYQUbSloa0Bo
+# maK0NZE0ryaj0mfQOUrGJOIOSdtEgzNY0AuMT679qA1LkqXZmKNikvsYsW7vywhxnDyQTW6tdsy9LTIi
+# 7rhHUNI9fTZw0ufKraas71hiW5xQja1zhXAchLbOs57KR1vFy8VC0WfHLhripwuK6vNGIGv18piP5GM9
+# mXBO7LZghpBl38s6UhOhRFCLkWbCWVrnyxjU96TkJ1j6yXWkC4a7lMyJaa0QNElYgjGnzv74EeeLHIIR
+# KFZUtIN9phOrihWl7eJIlBWDXba6kxorB4zQmpzchrigUXTmr1RV38AlEtZ0CiPvSMBM9wU4ACK9LPWk
+# PlQ65g2uROweRte35KFZBnI7AS2tED50lFncfrPUfY9csLbRxRo9gc3D3RwiZobaIWEh1EYdmPkp8NCi
+# vYyogaG13Om3M52FC8l09wdd4RoOwG3qBM1HnaC1h6xsjetJ1xuyF4OoEF5EV2nYYvyu7WAWvgTI4pN5
+# WW08RRyyvWl439FTafptIxNi5ZnnkPgC6xdrJzKzrAZMKYfieQ3RlYVX7iZh6LsVm9Bgh0uazT81oR4e
+# M3BHdM6bYjU18gnXNFnZK9b1k3UDCjznGLwWL1uN6AfyPBpygyjb4dG6sFEmChmC0aLUAs5eeAUaFZrn
+# vBY1QOUh1UvxePeOPyqKb6ZIFYLIMGGaOVtKopunOg2RdZmqzH7QBLTSyUxK9oVO7e1GDDNp2AuYujVS
+# lF1G3T0TEr4pdTLQJgugqFShuwUkVRVQgsCl0sXOuJAoBbb9yEfvvohTWJEUUatHYxmpBSuFg9jWW9mj
+# DaaRGcBuTEYMluf4knHNAlJ34isYVjQsOcpra2p5fFPgfbPgV7QZ1AHxUWjI0qQAip2ZNyEoiYfb6Uk5
+# bhvaQuAIr3vgLB5FQo3QKU2QygiOMNane2HbLyZTr79QPolhzhHL8XJXE8brTGEBUpfW6HPneNSoRTWs
+# Ey2BFQ6iyshzx10WVMlyg1U3FcD1u9umTEIMX1eWsQdpRcAaZgjsmHgbIMkENsNBMCKTyRjn6Q0VkUjb
+# KLkdhGT8e3qsVCNNoOD3SnQ8A88BqEq0ixUIcbKewmxLw0Qt96hLjlUFEjVUJ0VkAMlsxuwc0Dxhh3RA
+# WkfzAAAhY7Xqu9LK9DY4yt6jBHfZ2tLSLcOdt3tEpSEXFzkjzHzDBCVOq4q1HtqoWamEdknhOgAlLM8h
+# ARmZp7RGh6HMMO7YF9zmvxehFRJwVmITGBhluCEKhOz1gMVwVdtvqwqTnSkc53dE0K6WEUMIR0nKj9BB
+# W8NtmXclIKDfGm1hcLgegT0Uojyas41zwpprGsNGnNJMpyLfiprBbfnLcUiBHvG8EercFHXPGTHlougd
+# 9yitiIXKWCZF93hquGlAsQR987gCRcqu229B4rNlEYoaZiVLfN3sWOJPcVW9rd0H7BsDyomt87dtR4bW
+# UQH0Wkfd8TvgLVuKGIcBsI7Ao1bjJX30bOsyUu47Ah029z2AG6cGdey5etsEiExIMeYIn0SHxXxIA7yj
+# KIQbFN5j5lR0G053T7QmcE4hINWLe3koixgVIyagWfOg6NThPBLgQeMlepjpXPOEIXwfQlSJUQe2EDQc
+# Eyl5maRtMnqs4RldkKGXofGnIosbPkSQvEwAkAGhtd4hBw7XCtVVQqDW0kM8fpIOMiStjavcRvpgtsgH
+# X6dcjBAoBylFGxDP4DVg0HWjjnm4CZSv50kIgBXjg0wTsz8ogoDDs08Rw6X9qFqmXHlwmtw1Nur9Ifkt
+# PhijQUwmbFRj7clxYQKIKuzXogQabtstKGsnSksEGw5s4ucIj1ADR2GjWllC6NDvykCc8GdJB92J7vgp
+# OgG95M5cq7P9nHY0VIYkEMtJyHnB1QTbCtoPRb28vr3JK1tYkCUQnX9dSvMtZHYaF0R4kNB3e7NCx3fn
+# KbkLXo3OCEhKFHGCTqwRiWbRFnTY3aRYaPl3TVRd1twqcFmiavXa2TxPhsEWpirYp9FuFQBevcP6rSvp
+# 6zUovoOfBjbu46UJfMb1FN2IOkinWv50PRcxZ2SoJemecXiYLxN8OoaJUTnHdoXFsyhDOmsrjsBkdqbj
+# --------------------------------------------------------------------------------
+
+```