Improve HTTP session creation and usage

stroomdev66 · stroomdev66 · commit 636635530854 · 2025-09-05T12:29:34.000+01:00
diff --git a/stroom-core-shared/src/main/java/stroom/security/shared/SessionResource.java b/stroom-core-shared/src/main/java/stroom/security/shared/SessionResource.java
@@ -29,13 +29,6 @@ public interface SessionResource extends RestResource, DirectRestService {
     String LIST_PATH_PART = "/list";
     String NODE_NAME_PARAM = "nodeName";
 
-    @GET
-    @Path("/noauth/validateSession")
-    @Operation(
-            summary = "Validate the current session, return a redirect Uri if invalid.",
-            operationId = "validateStroomSession")
-    ValidateSessionResponse validateSession(@QueryParam("redirect_uri") @NotNull String redirectUri);
-
     @GET
     @Path("logout")
     @Operation(
diff --git a/stroom-security/stroom-security-common-impl/src/main/java/stroom/security/common/impl/UserIdentitySessionUtil.java b/stroom-security/stroom-security-common-impl/src/main/java/stroom/security/common/impl/UserIdentitySessionUtil.java
@@ -4,22 +4,20 @@
 import stroom.util.logging.LambdaLogger;
 import stroom.util.logging.LambdaLoggerFactory;
 import stroom.util.logging.LogUtil;
-import stroom.util.servlet.UserAgentSessionUtil;
 import stroom.util.shared.NullSafe;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpSession;
 
 import java.util.Arrays;
 import java.util.Optional;
+import javax.swing.text.html.Option;
 
 public final class UserIdentitySessionUtil {
 
     private static final LambdaLogger LOGGER = LambdaLoggerFactory.getLogger(UserIdentitySessionUtil.class);
 
     private static final String SESSION_USER_IDENTITY = "SESSION_USER_IDENTITY";
-    private static final String STROOM_SESSION_ID = "STROOM_SESSION_ID";
-    private static final String JSESSIONID = "JSESSIONID";
 
     private UserIdentitySessionUtil() {
     }
@@ -32,41 +30,11 @@ public static void set(final HttpSession session, final UserIdentity userIdentit
                 userIdentity,
                 NullSafe.get(userIdentity, UserIdentity::getClass, Class::getSimpleName),
                 NullSafe.get(session, HttpSession::getId)));
-
         session.setAttribute(SESSION_USER_IDENTITY, userIdentity);
     }
 
-    /**
-     * Set the userIdentity on the session, creating the session as required
-     */
-    public static void set(final HttpServletRequest request, final UserIdentity userIdentity) {
-        // Set the user ref in the session.
-        final HttpSession session = request.getSession(true);
-        set(session, userIdentity);
-        // Now we have the session make note of the user-agent for logging and sessionListServlet duties
-        UserAgentSessionUtil.setUserAgentInSession(request, session);
-    }
-
     public static Optional<UserIdentity> get(final HttpSession session) {
         return Optional.ofNullable(session)
                 .map(session2 -> (UserIdentity) session2.getAttribute(SESSION_USER_IDENTITY));
     }
-
-    public static Optional<UserIdentity> get(final HttpServletRequest request) {
-        return Optional.ofNullable(request)
-                .flatMap(req -> get(req.getSession(false)));
-    }
-
-    public static boolean requestHasSessionCookie(final HttpServletRequest request) {
-        if (request == null || request.getCookies() == null) {
-            return false;
-        }
-
-        // Find out if we have a session cookie
-        return Arrays
-                .stream(request.getCookies())
-                .anyMatch(cookie ->
-                        cookie.getName().equalsIgnoreCase(STROOM_SESSION_ID) ||
-                        cookie.getName().equalsIgnoreCase(JSESSIONID));
-    }
 }
diff --git a/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/OpenIdManager.java b/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/OpenIdManager.java
@@ -113,7 +113,7 @@ private String backChannelOIDC(final HttpServletRequest request,
 
             if (optionalUserIdentity.isPresent()) {
                 // Set the token in the session.
-                UserIdentitySessionUtil.set(request, optionalUserIdentity.get());
+                UserIdentitySessionUtil.set(request.getSession(true), optionalUserIdentity.get());
 
                 // Successful login, so redirect to the original URL held in the state.
                 LOGGER.info(() -> "Redirecting to initiating URI: " + state.getInitiatingUri());
@@ -142,26 +142,6 @@ public Optional<UserIdentity> loginWithRequestToken(final HttpServletRequest req
         }
     }
 
-    public Optional<UserIdentity> getOrSetSessionUser(final HttpServletRequest request,
-                                                      final Optional<UserIdentity> userIdentity) {
-        Optional<UserIdentity> result = userIdentity;
-
-        if (userIdentity.isEmpty()) {
-            // Provide identity from the session if we are allowing this to happen.
-            result = UserIdentitySessionUtil.get(request.getSession(false));
-
-            if (LOGGER.isDebugEnabled()) {
-                LOGGER.debug("User identity from session: [{}]", result.orElse(null));
-            }
-
-        } else if (UserIdentitySessionUtil.requestHasSessionCookie(request)) {
-            // Set the user ref in the session.
-            UserIdentitySessionUtil.set(request.getSession(true), userIdentity.get());
-        }
-
-        return result;
-    }
-
     public String logout(final String postAuthRedirectUri) {
         final String endpoint = openIdConfiguration.getLogoutEndpoint();
         final String clientId = openIdConfiguration.getClientId();
diff --git a/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SecurityFilter.java b/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SecurityFilter.java
@@ -26,6 +26,7 @@
 import stroom.util.logging.LambdaLoggerFactory;
 import stroom.util.logging.LogUtil;
 import stroom.util.net.UrlUtils;
+import stroom.util.servlet.UserAgentSessionUtil;
 import stroom.util.shared.AuthenticationBypassChecker;
 import stroom.util.shared.NullSafe;
 import stroom.util.shared.ResourcePaths;
@@ -62,6 +63,8 @@ class SecurityFilter implements Filter {
             ".jpg", ".gif", ".ico", ".svg", ".ttf", ".woff", ".woff2");
 
     private static final String SIGN_IN_URL_PATH = ResourcePaths.buildServletPath(ResourcePaths.SIGN_IN_PATH);
+    private static final String STROOM_SESSION_ID = "STROOM_SESSION_ID";
+    private static final String JSESSIONID = "JSESSIONID";
 
     private final UriFactory uriFactory;
     private final SecurityContext securityContext;
@@ -152,27 +155,35 @@ private void filter(final HttpServletRequest request,
             // Need to do this first, so we get a fresh token from AWS ALB rather than using a stale
             // one from session.
             optUserIdentity = openIdManager.loginWithRequestToken(request);
+            optUserIdentity.ifPresent(userIdentity ->
+                    ensureSessionIfCookiePresent(request).ifPresent(session -> {
+                        LOGGER.debug(() -> LogUtil.message("Setting user in session, user: {} {}, path: {}",
+                                userIdentity.getClass().getSimpleName(),
+                                userIdentity,
+                                fullPath));
+                        UserIdentitySessionUtil.set(session, userIdentity);
+                    }));
+
+            // Log current user.
             if (LOGGER.isDebugEnabled()) {
                 logUserIdentityToDebug(
                         optUserIdentity, fullPath, "after trying to login with request token");
             }
 
             // If no user from header token, see if we have one in session already.
-            optUserIdentity = openIdManager.getOrSetSessionUser(request, optUserIdentity);
-            if (LOGGER.isDebugEnabled()) {
-                logUserIdentityToDebug(optUserIdentity, fullPath, "from session");
+            if (optUserIdentity.isEmpty()) {
+                optUserIdentity = UserIdentitySessionUtil.get(request.getSession(false));
+                if (LOGGER.isDebugEnabled()) {
+                    logUserIdentityToDebug(optUserIdentity, fullPath, "from session");
+                }
             }
 
             if (optUserIdentity.isPresent()) {
                 final UserIdentity userIdentity = optUserIdentity.get();
-                LOGGER.debug(() -> LogUtil.message("Setting user in session, user: {} {}, path: {}",
-                        userIdentity.getClass().getSimpleName(),
-                        userIdentity,
-                        fullPath));
-                // Set the identity in session if we have a session and cookie
-                if (UserIdentitySessionUtil.requestHasSessionCookie(request)) {
-                    UserIdentitySessionUtil.set(request, userIdentity);
-                }
+
+                // Now we have the session make note of the user-agent for logging and sessionListServlet duties
+                ensureSessionIfCookiePresent(request).ifPresent(session ->
+                        UserAgentSessionUtil.setUserAgentInSession(request, session));
 
                 // Now handle the request as this user
                 securityContext.asUser(userIdentity, () ->
@@ -319,4 +330,19 @@ private void process(final HttpServletRequest request,
     @Override
     public void destroy() {
     }
+
+    private Optional<HttpSession> ensureSessionIfCookiePresent(final HttpServletRequest request) {
+        if (requestHasSessionCookie(request)) {
+            return Optional.of(request.getSession(true));
+        }
+        return Optional.empty();
+    }
+
+    private boolean requestHasSessionCookie(final HttpServletRequest request) {
+        // Find out if we have a session cookie
+        return NullSafe.stream(NullSafe.get(request, HttpServletRequest::getCookies))
+                .anyMatch(cookie ->
+                        cookie.getName().equalsIgnoreCase(STROOM_SESSION_ID) ||
+                        cookie.getName().equalsIgnoreCase(JSESSIONID));
+    }
 }
diff --git a/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SessionResourceImpl.java b/stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/SessionResourceImpl.java
@@ -2,13 +2,10 @@
 
 import stroom.event.logging.rs.api.AutoLogged;
 import stroom.event.logging.rs.api.AutoLogged.OperationType;
-import stroom.security.api.UserIdentity;
 import stroom.security.common.impl.UserIdentitySessionUtil;
-import stroom.security.openid.api.OpenId;
 import stroom.security.shared.SessionListResponse;
 import stroom.security.shared.SessionResource;
 import stroom.security.shared.UrlResponse;
-import stroom.security.shared.ValidateSessionResponse;
 
 import jakarta.inject.Inject;
 import jakarta.inject.Provider;
@@ -17,10 +14,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.Optional;
-
 @AutoLogged(OperationType.MANUALLY_LOGGED)
 class SessionResourceImpl implements SessionResource {
 
@@ -45,59 +38,6 @@ class SessionResourceImpl implements SessionResource {
         this.stroomUserIdentityFactoryProvider = stroomUserIdentityFactoryProvider;
     }
 
-    @Override
-    @AutoLogged(OperationType.UNLOGGED)
-    public ValidateSessionResponse validateSession(final String postAuthRedirectUri) {
-        final OpenIdManager openIdManager = openIdManagerProvider.get();
-        final HttpServletRequest request = httpServletRequestProvider.get();
-        Optional<UserIdentity> userIdentity = openIdManager.loginWithRequestToken(request);
-        userIdentity = openIdManager.getOrSetSessionUser(request, userIdentity);
-        if (userIdentity.isPresent()) {
-            return new ValidateSessionResponse(true, userIdentity.get().getSubjectId(), null);
-        }
-
-        // If the session doesn't have a user ref then attempt login.
-        try {
-            LOGGER.debug("Using postAuthRedirectUri: {}", postAuthRedirectUri);
-
-            // We might have completed the back channel authentication now so see if we have a user session.
-            userIdentity = UserIdentitySessionUtil.get(request.getSession(false));
-            return userIdentity
-                    .map(identity ->
-                            createValidResponse(identity.getSubjectId()))
-                    .orElseGet(() -> createRedirectResponse(request, postAuthRedirectUri));
-
-        } catch (final RuntimeException e) {
-            LOGGER.error(e.getMessage(), e);
-            throw e;
-        }
-    }
-
-    private ValidateSessionResponse createValidResponse(final String userId) {
-        return new ValidateSessionResponse(true, userId, null);
-    }
-
-    private ValidateSessionResponse createRedirectResponse(final HttpServletRequest request, final String url) {
-        final OpenIdManager openIdManager = openIdManagerProvider.get();
-        final String code = getParam(url, OpenId.CODE);
-        final String stateId = getParam(url, OpenId.STATE);
-        final String redirectUri = openIdManager.redirect(request, code, stateId, url);
-        return new ValidateSessionResponse(false, null, redirectUri);
-    }
-
-    private String getParam(final String url, final String param) {
-        int start = url.indexOf(param + "=");
-        if (start != -1) {
-            start += param.length() + 1;
-            final int end = url.indexOf("&", start);
-            if (end != -1) {
-                return URLDecoder.decode(url.substring(start, end), StandardCharsets.UTF_8);
-            }
-            return URLDecoder.decode(url.substring(start), StandardCharsets.UTF_8);
-        }
-        return null;
-    }
-
     @Override
     @AutoLogged(OperationType.MANUALLY_LOGGED)
     public UrlResponse logout(final String redirectUri) {
