71410: Authorization for Downloads of restricted Bitstreams

- Don't update ePerson session salt when requesting a short lived token
DSpace · Jun 23, 2020 · 6a88ef5 · 6a88ef5
1 parent 6c91e5a
commit 6a88ef5
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenHandler.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/jwt/JWTTokenHandler.java
@@ -403,7 +403,7 @@ private String getIpAddress(HttpServletRequest request) {
      * @return EPerson object of current user, with an updated session salt
      * @throws SQLException
      */
-    private EPerson updateSessionSalt(final Context context, final Date previousLoginDate) throws SQLException {
+    protected EPerson updateSessionSalt(final Context context, final Date previousLoginDate) throws SQLException {
         EPerson ePerson;
 
         try {

diff --git a/...rver-webapp/src/main/java/org/dspace/app/rest/security/jwt/ShortLivedJWTTokenHandler.java b/...rver-webapp/src/main/java/org/dspace/app/rest/security/jwt/ShortLivedJWTTokenHandler.java
@@ -17,6 +17,7 @@
 import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.jwt.util.DateUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.springframework.stereotype.Component;
 
@@ -55,6 +56,17 @@ protected boolean isValidToken(HttpServletRequest request, SignedJWT signedJWT,
         }
     }
 
+    /**
+     * The session salt doesn't need to be updated for short lived tokens.
+     * @param context current DSpace Context
+     * @param previousLoginDate date of last login (prior to this one)
+     * @return EPerson object of current user, with an updated session salt
+     */
+    @Override
+    protected EPerson updateSessionSalt(final Context context, final Date previousLoginDate) {
+        return context.getCurrentUser();
+    }
+
     @Override
     protected String getTokenSecretConfigurationKey() {
         return "jwt.shortLived.token.secret";

diff --git a/...-webapp/src/test/java/org/dspace/app/rest/security/jwt/ShortLivedJWTTokenHandlerTest.java b/...-webapp/src/test/java/org/dspace/app/rest/security/jwt/ShortLivedJWTTokenHandlerTest.java
@@ -15,14 +15,17 @@
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Date;
+import javax.servlet.http.HttpServletRequest;
 
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
+import org.mockito.Mockito;
 import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -38,6 +41,17 @@ public class ShortLivedJWTTokenHandlerTest extends JWTTokenHandlerTest {
     @Spy
     private ShortLivedJWTTokenHandler shortLivedJWTTokenHandler;
 
+    @Before
+    @Override
+    public void setUp() throws Exception {
+        when(ePerson.getSessionSalt()).thenReturn("01234567890123456789012345678901");
+        when(context.getCurrentUser()).thenReturn(ePerson);
+        when(clientInfoService.getClientIp(any())).thenReturn("123.123.123.123");
+        when(ePersonClaimProvider.getKey()).thenReturn("eid");
+        when(ePersonClaimProvider.getValue(any(), Mockito.any(HttpServletRequest.class))).thenReturn("epersonID");
+        jwtClaimProviders.add(ePersonClaimProvider);
+    }
+
     @Test
     public void testJWTNoEncryption() throws Exception {
         Date previous = new Date(System.currentTimeMillis() - 10000000000L);