Added HttpSession invalidation if not new

Signed-off-by: Alberto Codutti <alberto.codutti@eurotech.com>
eclipse · Jan 19, 2021 · 8309017 · 8309017
1 parent e340f4f
commit 8309017
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/.../src/main/java/org/eclipse/kapua/app/console/core/server/GwtAuthorizationServiceImpl.java b/.../src/main/java/org/eclipse/kapua/app/console/core/server/GwtAuthorizationServiceImpl.java
@@ -72,6 +72,7 @@
 import org.slf4j.LoggerFactory;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 import java.util.concurrent.Callable;
 
 public class GwtAuthorizationServiceImpl extends KapuaRemoteServiceServlet implements GwtAuthorizationService {
@@ -118,6 +119,9 @@ public GwtSession login(GwtLoginCredential gwtLoginCredentials, boolean trustReq
             usernamePasswordCredentials.setAuthenticationCode(gwtLoginCredentials.getAuthenticationCode());
             usernamePasswordCredentials.setTrustKey(gwtLoginCredentials.getTrustKey());
 
+            // Cleanup any previous session
+            cleanupSession();
+
             // Login
             AUTHENTICATION_SERVICE.login(usernamePasswordCredentials, trustReq);
 
@@ -136,13 +140,16 @@ public GwtSession login(GwtJwtCredential gwtAccessTokenCredentials, GwtJwtIdToke
         try {
             // Check Credentials Values
             ArgumentValidator.notNull(gwtAccessTokenCredentials, "loginCredentials");
-            ArgumentValidator.notNull(gwtAccessTokenCredentials.getAccessToken(), "loginCredentials.accessToken");
+            ArgumentValidator.notEmptyOrNull(gwtAccessTokenCredentials.getAccessToken(), "loginCredentials.accessToken");
             ArgumentValidator.notNull(gwtJwtIdToken, "jwtIdToken");
-            ArgumentValidator.notNull(gwtJwtIdToken.getIdToken(), "jwtIdToken.idToken");
+            ArgumentValidator.notEmptyOrNull(gwtJwtIdToken.getIdToken(), "jwtIdToken.idToken");
 
             // Parse Credentials
             JwtCredentials jwtCredentials = CREDENTIALS_FACTORY.newJwtCredentials(gwtAccessTokenCredentials.getAccessToken(), gwtJwtIdToken.getIdToken());
 
+            // Cleanup any previous session
+            cleanupSession();
+
             // Login and check account auto-creation
             try {
                 AUTHENTICATION_SERVICE.login(jwtCredentials);
@@ -159,6 +166,26 @@ public GwtSession login(GwtJwtCredential gwtAccessTokenCredentials, GwtJwtIdToke
         }
     }
 
+    /**
+     * Invalidates the {@link HttpSession} if it is not new.
+     * <p>
+     * This prevents Session Fixation vulnerability.
+     *
+     * @since 1.5.0
+     */
+    private void cleanupSession() {
+        SecurityUtils.getSubject().logout();
+
+        // Invalidate old sessions
+        HttpServletRequest request = getThreadLocalRequest();
+        HttpSession session = request.getSession();
+        if (!session.isNew()) {
+            session.invalidate();
+        }
+
+        request.getSession(true);
+    }
+
     private void handleLoginError(JwtCredentials credentials, KapuaAuthenticationException e) throws KapuaException {
         LOG.debug("Handling error code: {}", e.getCode());
 
@@ -195,8 +222,8 @@ private boolean isAccountCreationEnabled() {
      * Return the currently authenticated user or null if no session has been established.
      */
     @Override
-    public GwtSession getCurrentSession()
-            throws GwtKapuaException {
+    public GwtSession getCurrentSession() throws GwtKapuaException {
+
         GwtSession gwtSession = null;
         try {
             Subject currentUser = SecurityUtils.getSubject();