Merge branch 'master' into better-coercion

apache · Feb 11, 2019 · 69b9c8b · 69b9c8b
2 parents 29fc1fd + 6ec9a74
commit 69b9c8b
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 10 deletions.
diff --git a/karaf/jetty-config/src/main/resources/jetty.xml b/karaf/jetty-config/src/main/resources/jetty.xml
@@ -20,4 +20,19 @@
 <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
 
 <Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+    <!--Config Jetty HouseKeeper scavenge interval for invalidate session to one hour to avoid losing authentication-->
+    <!--token -->
+    <Set name="sessionIdManager">
+        <New id="idMgr" class="org.eclipse.jetty.server.session.DefaultSessionIdManager">
+            <Arg><Ref refid="Server"/></Arg>
+            <Set name="sessionHouseKeeper">
+                <New class="org.eclipse.jetty.server.session.HouseKeeper">
+                    <Set name="intervalSec"><Property name="jetty.sessionScavengeInterval.seconds" default="3600"/></Set>
+                </New>
+            </Set>
+        </New>
+    </Set>
+
 </Configure>
+
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CsrfTokenFilter.java
@@ -215,11 +215,10 @@ private void fail(ContainerRequestContext requestContext, ApiError apiError) {
 
     @Override
     public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
-        log.debug("CSRF FILTER finishing - "+MultiSessionAttributeAdapter.info(request));
         MultiSessionAttributeAdapter session = MultiSessionAttributeAdapter.of(request, false);
         String token = (String) (session==null ? null : session.getAttribute(CSRF_TOKEN_VALUE_ATTR));
         String requiredWhenS = request.getHeader(CSRF_TOKEN_REQUIRED_HEADER);
-        
+
         if (session==null) {
             if (Strings.isBlank(requiredWhenS)) {
                 // no session and no requirement specified, bail out 
@@ -232,7 +231,17 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
             }
             session = MultiSessionAttributeAdapter.of(request, true);
         }
-
+
+        if (token==null) {
+            // create the token
+            token = Identifiers.makeRandomId(16);
+            log.trace("Created new token {} for {}", token, session);
+        }
+        session.setAttribute(CSRF_TOKEN_VALUE_ATTR, token);
+
+        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE, token, "Clients should send this value in header "+CSRF_TOKEN_VALUE_HEADER+" for validation");
+        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME, token, "Compatibility cookie for "+CSRF_TOKEN_VALUE_COOKIE+" following AngularJS conventions");
+
         CsrfTokenRequiredForRequests requiredWhen;
         if (Strings.isNonBlank(requiredWhenS)) {
             requiredWhen = getRequiredForRequests(requiredWhenS, DEFAULT_REQUIRED_FOR_REQUESTS);
@@ -262,12 +271,6 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
             return;
         }
 
-        // create the token
-        token = Identifiers.makeRandomId(16);
-        session.setAttribute(CSRF_TOKEN_VALUE_ATTR, token);
-
-        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE, token, "Clients should send this value in header "+CSRF_TOKEN_VALUE_HEADER+" for validation");
-        addCookie(responseContext, CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME, token, "Compatibility cookie for "+CSRF_TOKEN_VALUE_COOKIE+" following AngularJS conventions");
     }
 
     protected NewCookie addCookie(ContainerResponseContext responseContext, String cookieName, String token, String comment) {

diff --git a/...t-resources/src/main/java/org/apache/brooklyn/rest/util/MultiSessionAttributeAdapter.java b/...t-resources/src/main/java/org/apache/brooklyn/rest/util/MultiSessionAttributeAdapter.java
@@ -80,6 +80,8 @@ public class MultiSessionAttributeAdapter {
     private static final String KEY_PREFERRED_SESSION_HANDLER_INSTANCE = "org.apache.brooklyn.server.PreferredSessionHandlerInstance";
     private static final String KEY_IS_PREFERRED = "org.apache.brooklyn.server.IsPreferred";
 
+    private static final int MAX_INACTIVE_INTERVAL = 3601;
+
     private static final Object PREFERRED_SYMBOLIC_NAME = 
         "org.apache.cxf.cxf-rt-transports-http";
         //// our bundle here doesn't have a session handler; sessions to the REST API get the handler from CXF
@@ -135,11 +137,15 @@ private HttpSession findPreferredSession(HttpSession localSession, HttpServletRe
                         (preferredSession!=null ? info(preferredSession) : "none, willl make new session in "+info(preferredHandler)));
                 }
                 if (preferredSession!=null) {
+                    preferredSession.setMaxInactiveInterval(MAX_INACTIVE_INTERVAL);
                     return preferredSession;
                 }
                 if (preferredHandler!=null) {
                     if (optionalRequest!=null) { 
                         HttpSession result = preferredHandler.newHttpSession(optionalRequest);
+                        // bigger than HouseKeeper.sessionScavengeInterval: 3600
+                        // https://www.eclipse.org/jetty/documentation/9.4.x/session-configuration-housekeeper.html
+                        result.setMaxInactiveInterval(MAX_INACTIVE_INTERVAL);
                         if (log.isTraceEnabled()) {
                             log.trace("Creating new session "+info(result)+" to be preferred for " + info(optionalRequest, localSession));
                         }
@@ -148,6 +154,7 @@ private HttpSession findPreferredSession(HttpSession localSession, HttpServletRe
                     // the server has a preferred handler, but no session yet; fall back to marking on the session 
                     log.warn("No request so cannot create preferred session at preferred handler "+info(preferredHandler)+" for "+info(optionalRequest, localSession)+"; will exceptionally mark the calling session as the preferred one");
                     markSessionAsPreferred(localSession, " (request came in for "+info(optionalRequest, localSession)+")");
+                    localSession.setMaxInactiveInterval(MAX_INACTIVE_INTERVAL);
                     return localSession;
                 } else {
                     // shouldn't come here; at minimum it should have returned the local session's handler
@@ -236,7 +243,7 @@ protected SessionHandler findPreferredBundleHandler(Session localSession, Server
                                 if (preferredHandler==null) {
                                     preferredHandler = sh;
                                     server.setAttribute(KEY_PREFERRED_SESSION_HANDLER_INSTANCE, sh);
-                                    log.debug("Recording "+info(sh)+" as server-wide preferred session handler");
+                                    log.trace("Recording "+info(sh)+" as server-wide preferred session handler");
                                 } else {
                                     log.warn("Multiple preferred session handlers detected; keeping "+info(preferredHandler)+", ignoring "+info(sh));
                                 }