From c4e1dbe215e67d1761f0ba442a4cf45fbe835818 Mon Sep 17 00:00:00 2001 From: lskublik Date: Tue, 16 Jun 2020 18:59:31 +0200 Subject: [PATCH] disable creating of session for rest and actuator channels --- .../boot/AbstractSpringBootApplication.java | 15 ++ .../web/security/AuditedLogoutHandler.java | 238 +++++++++--------- .../web/security/BasicWebSecurityConfig.java | 43 +++- .../security/MidpointBeanPostProcessor.java | 14 ++ ...RegisterSessionAuthenticationStrategy.java | 39 +++ .../web/security/SessionAndRequestScope.java | 28 +++ .../security/SessionAndRequestScopeImpl.java | 74 ++++++ .../security/filter/MidpointAuthFilter.java | 4 +- .../filter/MidpointFilterChainProxy.java | 1 + .../module/ModuleWebSecurityConfig.java | 10 +- .../web/security/util/SecurityUtils.java | 12 + .../rest/impl/AbstractRestController.java | 5 + 12 files changed, 350 insertions(+), 133 deletions(-) create mode 100644 gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointRegisterSessionAuthenticationStrategy.java create mode 100644 gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScope.java create mode 100644 gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScopeImpl.java diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java index 00c5c2a6451..dcac29b781e 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/AbstractSpringBootApplication.java @@ -8,9 +8,14 @@ import javax.servlet.DispatcherType; +import com.evolveum.midpoint.web.security.SessionAndRequestScopeImpl; + import org.apache.wicket.Application; import org.apache.wicket.protocol.http.WicketFilter; +import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.config.BeanFactoryPostProcessor; +import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration; import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration; import org.springframework.boot.actuate.autoconfigure.endpoint.web.servlet.WebMvcEndpointManagementContextConfiguration; @@ -139,4 +144,14 @@ public ErrorPageRegistrar errorPageRegistrar() { public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } + + @Bean + public static BeanFactoryPostProcessor beanFactoryPostProcessor() { + return new BeanFactoryPostProcessor() { + @Override + public void postProcessBeanFactory(ConfigurableListableBeanFactory factory) throws BeansException { + factory.registerScope("sessionAndRequest", new SessionAndRequestScopeImpl()); + } + }; + } } diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java index aa0c0beeef1..90f26c4fcb1 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java @@ -1,117 +1,121 @@ -/* - * Copyright (c) 2010-2013 Evolveum and contributors - * - * This work is dual-licensed under the Apache License 2.0 - * and European Union Public License. See LICENSE file for details. - */ - -package com.evolveum.midpoint.web.security; - -import com.evolveum.midpoint.audit.api.AuditEventRecord; -import com.evolveum.midpoint.audit.api.AuditEventStage; -import com.evolveum.midpoint.audit.api.AuditEventType; -import com.evolveum.midpoint.audit.api.AuditService; -import com.evolveum.midpoint.gui.api.GuiConstants; -import com.evolveum.midpoint.gui.api.util.WebComponentUtil; -import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication; -import com.evolveum.midpoint.prism.PrismObject; -import com.evolveum.midpoint.schema.constants.SchemaConstants; -import com.evolveum.midpoint.schema.result.OperationResultStatus; -import com.evolveum.midpoint.security.api.MidPointPrincipal; -import com.evolveum.midpoint.task.api.Task; -import com.evolveum.midpoint.task.api.TaskManager; -import com.evolveum.midpoint.util.logging.Trace; -import com.evolveum.midpoint.util.logging.TraceManager; -import com.evolveum.midpoint.web.security.util.SecurityUtils; -import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType; -import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.core.Authentication; -import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; - -/** - * @author lazyman - */ -public class AuditedLogoutHandler extends SimpleUrlLogoutSuccessHandler { - - private static final Trace LOGGER = TraceManager.getTrace(AuditedLogoutHandler.class); - - @Autowired - private TaskManager taskManager; - @Autowired - private AuditService auditService; - - boolean useDefaultUrl = false; - - private boolean useDefaultUrl() { - return useDefaultUrl; - } - - @Override - public void setDefaultTargetUrl(String defaultTargetUrl) { - super.setDefaultTargetUrl(defaultTargetUrl); - this.useDefaultUrl = true; - } - - @Override - public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) - throws IOException { - - String targetUrl; - if (useDefaultUrl()) { - targetUrl = getDefaultTargetUrl(); - } else { - targetUrl = GuiConstants.DEFAULT_PATH_AFTER_LOGOUT; - } - - if (authentication instanceof MidpointAuthentication) { - MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication; - if (mpAuthentication.getAuthenticationChannel() != null) { - targetUrl = mpAuthentication.getAuthenticationChannel().getPathAfterLogout(); - } - } - - if (response.isCommitted()) { - LOGGER.debug("Response has already been committed. Unable to redirect to " + targetUrl); - } else { - getRedirectStrategy().sendRedirect(request, response, targetUrl); - } - - auditEvent(request, authentication); - } - - private void auditEvent(HttpServletRequest request, Authentication authentication) { - MidPointPrincipal principal = SecurityUtils.getPrincipalUser(authentication); - PrismObject user = principal != null ? principal.getFocus().asPrismObject() : null; - - String channel = SchemaConstants.CHANNEL_GUI_USER_URI; - if (authentication instanceof MidpointAuthentication - && ((MidpointAuthentication) authentication).getAuthenticationChannel() != null) { - channel = ((MidpointAuthentication) authentication).getAuthenticationChannel().getChannelId(); - } - - Task task = taskManager.createTaskInstance(); - task.setOwner(user); - task.setChannel(channel); - - AuditEventRecord record = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST); - record.setInitiator(user); - record.setParameter(WebComponentUtil.getName(user, false)); - - record.setChannel(channel); - record.setTimestamp(System.currentTimeMillis()); - record.setOutcome(OperationResultStatus.SUCCESS); - - // probably not needed, as audit service would take care of it; but it doesn't hurt so let's keep it here - record.setHostIdentifier(request.getLocalName()); - record.setRemoteHostAddress(request.getLocalAddr()); - record.setNodeIdentifier(taskManager.getNodeId()); - record.setSessionIdentifier(request.getRequestedSessionId()); - - auditService.audit(record, task); - } -} +/* + * Copyright (c) 2010-2013 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ + +package com.evolveum.midpoint.web.security; + +import com.evolveum.midpoint.audit.api.AuditEventRecord; +import com.evolveum.midpoint.audit.api.AuditEventStage; +import com.evolveum.midpoint.audit.api.AuditEventType; +import com.evolveum.midpoint.audit.api.AuditService; +import com.evolveum.midpoint.gui.api.GuiConstants; +import com.evolveum.midpoint.gui.api.util.WebComponentUtil; +import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication; +import com.evolveum.midpoint.prism.PrismObject; +import com.evolveum.midpoint.schema.constants.SchemaConstants; +import com.evolveum.midpoint.schema.result.OperationResultStatus; +import com.evolveum.midpoint.security.api.MidPointPrincipal; +import com.evolveum.midpoint.task.api.Task; +import com.evolveum.midpoint.task.api.TaskManager; +import com.evolveum.midpoint.util.logging.Trace; +import com.evolveum.midpoint.util.logging.TraceManager; +import com.evolveum.midpoint.web.security.util.SecurityUtils; +import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType; +import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * @author lazyman + */ +public class AuditedLogoutHandler extends SimpleUrlLogoutSuccessHandler { + + private static final Trace LOGGER = TraceManager.getTrace(AuditedLogoutHandler.class); + + @Autowired + private TaskManager taskManager; + @Autowired + private AuditService auditService; + + boolean useDefaultUrl = false; + + private boolean useDefaultUrl() { + return useDefaultUrl; + } + + @Override + public void setDefaultTargetUrl(String defaultTargetUrl) { + super.setDefaultTargetUrl(defaultTargetUrl); + this.useDefaultUrl = true; + } + + @Override + public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) + throws IOException { + + String targetUrl; + if (useDefaultUrl()) { + targetUrl = getDefaultTargetUrl(); + } else { + targetUrl = GuiConstants.DEFAULT_PATH_AFTER_LOGOUT; + } + + if (authentication instanceof MidpointAuthentication) { + MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication; + if (mpAuthentication.getAuthenticationChannel() != null) { + targetUrl = mpAuthentication.getAuthenticationChannel().getPathAfterLogout(); + } + } + + if (response.isCommitted()) { + LOGGER.debug("Response has already been committed. Unable to redirect to " + targetUrl); + } else { + getRedirectStrategy().sendRedirect(request, response, targetUrl); + } + + auditEvent(request, authentication); + } + + private void auditEvent(HttpServletRequest request, Authentication authentication) { + MidPointPrincipal principal = SecurityUtils.getPrincipalUser(authentication); + PrismObject user = principal != null ? principal.getFocus().asPrismObject() : null; + + String channel = SchemaConstants.CHANNEL_GUI_USER_URI; + String sessionId = request.getRequestedSessionId(); + if (authentication instanceof MidpointAuthentication + && ((MidpointAuthentication) authentication).getAuthenticationChannel() != null) { + channel = ((MidpointAuthentication) authentication).getAuthenticationChannel().getChannelId(); + if (((MidpointAuthentication) authentication).getSessionId() != null) { + sessionId = ((MidpointAuthentication) authentication).getSessionId(); + } + } + + Task task = taskManager.createTaskInstance(); + task.setOwner(user); + task.setChannel(channel); + + AuditEventRecord record = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST); + record.setInitiator(user); + record.setParameter(WebComponentUtil.getName(user, false)); + + record.setChannel(channel); + record.setTimestamp(System.currentTimeMillis()); + record.setOutcome(OperationResultStatus.SUCCESS); + + // probably not needed, as audit service would take care of it; but it doesn't hurt so let's keep it here + record.setHostIdentifier(request.getLocalName()); + record.setRemoteHostAddress(request.getLocalAddr()); + record.setNodeIdentifier(taskManager.getNodeId()); + record.setSessionIdentifier(sessionId); + + auditService.audit(record, task); + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java index 454ca06568d..362b67402de 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/BasicWebSecurityConfig.java @@ -11,17 +11,17 @@ import java.util.UUID; import com.evolveum.midpoint.prism.PrismContext; -import com.evolveum.midpoint.prism.schema.SchemaRegistry; + +import com.evolveum.midpoint.web.security.util.SecurityUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.Scope; import org.springframework.core.annotation.Order; -import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -29,9 +29,12 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; +import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.session.HttpSessionEventPublisher; @@ -43,7 +46,8 @@ import com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter; import com.evolveum.midpoint.web.security.filter.configurers.AuthFilterConfigurer; -import org.springframework.web.context.annotation.SessionScope; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; /** * @author skublik @@ -111,6 +115,14 @@ public AuthenticationEntryPoint authenticationEntryPoint() { return new WicketLoginUrlAuthenticationEntryPoint("/login"); } + @Bean + @SessionAndRequestScope + @Override + protected MidpointAuthenticationManager authenticationManager() throws Exception { + List providers = new ArrayList(); + return new MidpointProviderManager(providers); + } + @Override public void configure(WebSecurity web) throws Exception { super.configure(web); @@ -146,18 +158,29 @@ protected void configure(HttpSecurity http) throws Exception { .securityContext(); http.apply(new AuthFilterConfigurer()); + createSessionContextRepository(http); + http.sessionManagement() .maximumSessions(-1) .sessionRegistry(sessionRegistry) .maxSessionsPreventsLogin(true); } - @Bean - @SessionScope - @Override - protected MidpointAuthenticationManager authenticationManager() throws Exception { - List providers = new ArrayList(); - return new MidpointProviderManager(providers); + private void createSessionContextRepository(HttpSecurity http) { + HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository() { + @Override + public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { + if(!SecurityUtils.isRestOrActuatorChannel(request)) { + super.saveContext(context, request, response); + } + } + }; + httpSecurityRepository.setDisableUrlRewriting(true); + AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class); + if (trustResolver != null) { + httpSecurityRepository.setTrustResolver(trustResolver); + } + http.setSharedObject(SecurityContextRepository.class, httpSecurityRepository); } // TODO not used, don't delete because of possible future implementation authentication module diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java index 550ea847bb7..d24a1be410d 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointBeanPostProcessor.java @@ -6,12 +6,22 @@ */ package com.evolveum.midpoint.web.security; +import com.evolveum.midpoint.security.api.SecurityUtil; + +import com.evolveum.midpoint.web.security.util.SecurityUtils; + import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.BeanPostProcessor; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.session.SessionRegistry; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.stereotype.Component; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + /** * @author skublik */ @@ -25,6 +35,10 @@ public Object postProcessBeforeInitialization(Object bean, String beanName) thro CsrfFilter csrfFilter = (CsrfFilter) bean; csrfFilter.setAccessDeniedHandler(new MidpointAccessDeniedHandler()); } + if (bean instanceof RegisterSessionAuthenticationStrategy) { + RegisterSessionAuthenticationStrategy strategy = (RegisterSessionAuthenticationStrategy) bean; + return new MidpointRegisterSessionAuthenticationStrategy(strategy); + } return bean; } diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointRegisterSessionAuthenticationStrategy.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointRegisterSessionAuthenticationStrategy.java new file mode 100644 index 00000000000..223fc5a13f9 --- /dev/null +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointRegisterSessionAuthenticationStrategy.java @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2010-2019 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ +package com.evolveum.midpoint.web.security; + +import com.evolveum.midpoint.web.security.util.SecurityUtils; + +import org.springframework.security.core.Authentication; +import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.authentication.session.SessionAuthenticationException; +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * @author skublik + */ + +public class MidpointRegisterSessionAuthenticationStrategy extends RegisterSessionAuthenticationStrategy { + + private RegisterSessionAuthenticationStrategy strategy; + + public MidpointRegisterSessionAuthenticationStrategy(RegisterSessionAuthenticationStrategy strategy) { + super(new SessionRegistryImpl()); + this.strategy = strategy; + } + + @Override + public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) throws SessionAuthenticationException { + if (!SecurityUtils.isRestOrActuatorChannel(request)) { + strategy.onAuthentication(authentication, request, response); + } + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScope.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScope.java new file mode 100644 index 00000000000..24c53002b75 --- /dev/null +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScope.java @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2010-2019 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ +package com.evolveum.midpoint.web.security; + +import org.springframework.context.annotation.Scope; +import org.springframework.context.annotation.ScopedProxyMode; +import org.springframework.core.annotation.AliasFor; +import org.springframework.web.context.WebApplicationContext; + +import java.lang.annotation.*; + +/** + * @author skublik + */ + +@Target({ ElementType.TYPE, ElementType.METHOD}) +@Retention(RetentionPolicy.RUNTIME) +@Scope("sessionAndRequest") +public @interface SessionAndRequestScope { + + @AliasFor(annotation = Scope.class) + ScopedProxyMode proxyMode() default ScopedProxyMode.TARGET_CLASS; + +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScopeImpl.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScopeImpl.java new file mode 100644 index 00000000000..00b2951c281 --- /dev/null +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/SessionAndRequestScopeImpl.java @@ -0,0 +1,74 @@ +/* + * Copyright (c) 2010-2019 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ +package com.evolveum.midpoint.web.security; + +import com.evolveum.midpoint.schema.constants.SchemaConstants; +import com.evolveum.midpoint.web.security.util.SecurityUtils; + +import org.springframework.beans.factory.ObjectFactory; +import org.springframework.beans.factory.config.Scope; +import org.springframework.lang.Nullable; +import org.springframework.web.context.request.*; + +import javax.servlet.http.HttpServletRequest; +import javax.xml.ws.spi.http.HttpExchange; + +/** + * @author skublik + */ + +public class SessionAndRequestScopeImpl extends AbstractRequestAttributesScope { + + private SessionScope sessionScope; + private RequestScope requestScope; + + public SessionAndRequestScopeImpl(){ + sessionScope = new SessionScope(); + requestScope = new RequestScope(); + } + + @Override + protected int getScope() { + if (isRestOrActuatorChannel()) { + return RequestAttributes.SCOPE_REQUEST; + } + return RequestAttributes.SCOPE_SESSION; + } + + @Override + public String getConversationId() { + return getCurrentScope().getConversationId(); + } + + @Override + public Object get(String name, ObjectFactory objectFactory) { + return getCurrentScope().get(name, objectFactory); + } + + @Override + @Nullable + public Object remove(String name) { + return getCurrentScope().remove(name); + } + + private Scope getCurrentScope(){ + if (isRestOrActuatorChannel()) { + return requestScope; + } + return sessionScope; + } + + private boolean isRestOrActuatorChannel(){ + HttpServletRequest httpRequest = null; + RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes(); + if (requestAttributes instanceof ServletRequestAttributes) { + HttpServletRequest request = ((ServletRequestAttributes)requestAttributes).getRequest(); + httpRequest = request; + } + return SecurityUtils.isRestOrActuatorChannel(httpRequest); + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java index 1a5dbcc5876..c078e0dd804 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.java @@ -21,6 +21,8 @@ import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl; import com.evolveum.midpoint.web.security.util.SecurityUtils; import com.evolveum.midpoint.xml.ns._public.common.common_3.*; + +import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.AuthenticationServiceException; @@ -184,7 +186,7 @@ private int restartAuthFlow(MidpointAuthentication mpAuthentication, HttpServlet SecurityContextHolder.getContext().setAuthentication(new MidpointAuthentication(sequence)); mpAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication(); mpAuthentication.setAuthModules(authModules); - mpAuthentication.setSessionId(httpRequest.getSession().getId()); + mpAuthentication.setSessionId(httpRequest.getSession(false) != null ? httpRequest.getSession(false).getId() : RandomStringUtils.random(30, true, true).toUpperCase()); mpAuthentication.addAuthentications(authModules.get(0).getBaseModuleAuthentication()); return mpAuthentication.resolveParallelModules(httpRequest, 0); } diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointFilterChainProxy.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointFilterChainProxy.java index 3ca512ec915..1414271d6ec 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointFilterChainProxy.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/filter/MidpointFilterChainProxy.java @@ -93,6 +93,7 @@ private void doFilterInternal(ServletRequest request, ServletResponse response, MidpointFilterChainProxy.VirtualFilterChain vfc = new MidpointFilterChainProxy.VirtualFilterChain(fwRequest, chain, filters); vfc.doFilter(fwRequest, fwResponse); + int i = 0; } private List getFilters(HttpServletRequest request) { diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java index c85bec0e9bb..d584492bf90 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/ModuleWebSecurityConfig.java @@ -135,11 +135,11 @@ protected void configure(HttpSecurity http) throws Exception { http.headers().disable(); http.headers().frameOptions().sameOrigin(); - http.sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.NEVER) - .maximumSessions(-1) - .sessionRegistry(sessionRegistry) - .maxSessionsPreventsLogin(true); +// http.sessionManagement() +// .sessionCreationPolicy(SessionCreationPolicy.NEVER) +// .maximumSessions(-1) +// .sessionRegistry(sessionRegistry) +// .maxSessionsPreventsLogin(true); } @Override diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java index 3ba8422ccbf..0dcd58dc37e 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/util/SecurityUtils.java @@ -627,4 +627,16 @@ public static boolean isBasePathForSequence(HttpServletRequest httpRequest, Auth } return true; } + + public static boolean isRestOrActuatorChannel(HttpServletRequest httpRequest){ + if (httpRequest != null) { + String localePath = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length()); + String channel = SecurityUtils.searchChannelByPath(localePath); + if (SchemaConstants.CHANNEL_REST_URI.equals(channel) + || SchemaConstants.CHANNEL_ACTUATOR_URI.equals(channel)) { + return true; + } + } + return false; + } } diff --git a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java index e17b36b17c8..4c746527962 100644 --- a/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java +++ b/model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java @@ -5,6 +5,8 @@ import java.net.URI; import javax.servlet.http.HttpServletRequest; +import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication; + import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; @@ -184,6 +186,9 @@ private void auditEvent() { record.setChannel(SchemaConstants.CHANNEL_REST_URI); record.setTimestamp(System.currentTimeMillis()); record.setOutcome(OperationResultStatus.SUCCESS); + if (authentication instanceof MidpointAuthentication) { + record.setSessionIdentifier(((MidpointAuthentication) authentication).getSessionId()); + } auditService.audit(record, task); }