Merge pull request #8792 from eclipse/jetty-10.0.x-OpenIdSessionSerialization

Issue #8330 - fix IllegalStateException from using OpenID with SessionDatastore
This commit is contained in:
Lachlan 2022-11-10 16:54:03 +11:00 committed by GitHub
commit 4f633e945c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 1 deletions

View File

@ -13,6 +13,7 @@
package org.eclipse.jetty.security.openid;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
@ -28,7 +29,10 @@ import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.session.FileSessionDataStoreFactory;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.security.Constraint;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
@ -107,6 +111,12 @@ public class OpenIdAuthenticationTest
securityHandler.setInitParameter(OpenIdAuthenticator.LOGOUT_REDIRECT_PATH, "/");
context.setSecurityHandler(securityHandler);
File datastoreDir = MavenTestingUtils.getTargetTestingDir("datastore");
IO.delete(datastoreDir);
FileSessionDataStoreFactory fileSessionDataStoreFactory = new FileSessionDataStoreFactory();
fileSessionDataStoreFactory.setStoreDir(datastoreDir);
server.addBean(fileSessionDataStoreFactory);
server.start();
String redirectUri = "http://localhost:" + connector.getLocalPort() + "/redirect_path";
openIdProvider.addRedirectUri(redirectUri);
@ -153,6 +163,19 @@ public class OpenIdAuthenticationTest
response = client.GET(appUriString + "/admin");
assertThat(response.getStatus(), is(HttpStatus.FORBIDDEN_403));
// We can restart the server and still be logged in as we have persistent session datastore.
server.stop();
server.start();
appUriString = "http://localhost:" + connector.getLocalPort();
// After restarting server the authentication is saved as a session authentication.
response = client.GET(appUriString + "/");
assertThat(response.getStatus(), is(HttpStatus.OK_200));
content = response.getContentAsString();
assertThat(content, containsString("userId: 123456789"));
assertThat(content, containsString("name: Alice"));
assertThat(content, containsString("email: Alice@example.com"));
// We are no longer authenticated after logging out
response = client.GET(appUriString + "/logout");
assertThat(response.getStatus(), is(HttpStatus.OK_200));

View File

@ -22,6 +22,7 @@ import javax.servlet.http.HttpSessionBindingListener;
import javax.servlet.http.HttpSessionEvent;
import org.eclipse.jetty.security.AbstractUserAuthentication;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.UserIdentity;
@ -76,7 +77,13 @@ public class SessionAuthentication extends AbstractUserAuthentication
return;
}
LoginService loginService = security.getLoginService();
LoginService loginService;
Authenticator authenticator = security.getAuthenticator();
if (authenticator instanceof LoginAuthenticator)
loginService = ((LoginAuthenticator)authenticator).getLoginService();
else
loginService = security.getLoginService();
if (loginService == null)
{
if (LOG.isDebugEnabled())