From 41d4a3263c100850fbb74c9015d20c245744eae0 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 22 Jul 2022 18:35:21 +1000 Subject: [PATCH] add test to replicate issue with OpenId Session serialization Signed-off-by: Lachlan Roberts --- .../openid/OpenIdAuthenticationTest.java | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java index 521568dfdd4..250a6bd27e9 100644 --- a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java +++ b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java @@ -13,6 +13,7 @@ package org.eclipse.jetty.security.openid; +import java.io.File; import java.io.IOException; import java.security.Principal; import java.util.Map; @@ -28,7 +29,9 @@ import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; +import org.eclipse.jetty.server.session.FileSessionDataStoreFactory; import org.eclipse.jetty.servlet.ServletContextHandler; +import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.util.security.Constraint; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; @@ -107,6 +110,11 @@ public class OpenIdAuthenticationTest securityHandler.setInitParameter(OpenIdAuthenticator.LOGOUT_REDIRECT_PATH, "/"); context.setSecurityHandler(securityHandler); + File datastoreDir = MavenTestingUtils.getTargetTestingDir("datastore"); + FileSessionDataStoreFactory fileSessionDataStoreFactory = new FileSessionDataStoreFactory(); + fileSessionDataStoreFactory.setStoreDir(datastoreDir); + server.addBean(fileSessionDataStoreFactory); + server.start(); String redirectUri = "http://localhost:" + connector.getLocalPort() + "/redirect_path"; openIdProvider.addRedirectUri(redirectUri); @@ -153,6 +161,19 @@ public class OpenIdAuthenticationTest response = client.GET(appUriString + "/admin"); assertThat(response.getStatus(), is(HttpStatus.FORBIDDEN_403)); + // We can restart the server and still be logged in as we have persistent session datastore. + server.stop(); + server.start(); + appUriString = "http://localhost:" + connector.getLocalPort(); + + // After restarting server the authentication is saved as a session authentication. + response = client.GET(appUriString + "/"); + assertThat(response.getStatus(), is(HttpStatus.OK_200)); + content = response.getContentAsString(); + assertThat(content, containsString("userId: 123456789")); + assertThat(content, containsString("name: Alice")); + assertThat(content, containsString("email: Alice@example.com")); + // We are no longer authenticated after logging out response = client.GET(appUriString + "/logout"); assertThat(response.getStatus(), is(HttpStatus.OK_200));