Repository: isis Updated Branches: refs/heads/master e7d7ab5f3 -> f84d86658
ISIS-1434: ensures that shiro Subject is logged out when user logs out via wicket viewer or RO viewer This commit extends the Authenticator internal API to include a logout(...) method, called when the AuthenticationSession is closed. The AuthenticationManager#closeSession(...) is now called consistently by both the Wicket viewer and also Restful Objects viewer. Project: http://git-wip-us.apache.org/repos/asf/isis/repo Commit: http://git-wip-us.apache.org/repos/asf/isis/commit/f84d8665 Tree: http://git-wip-us.apache.org/repos/asf/isis/tree/f84d8665 Diff: http://git-wip-us.apache.org/repos/asf/isis/diff/f84d8665 Branch: refs/heads/master Commit: f84d8665849d61d5d0865d1748c5148b318cf94c Parents: e7d7ab5 Author: Dan Haywood <d...@haywood-associates.co.uk> Authored: Thu Jun 23 19:11:40 2016 +0100 Committer: Dan Haywood <d...@haywood-associates.co.uk> Committed: Thu Jun 23 19:11:40 2016 +0100 ---------------------------------------------------------------------- .../standard/AuthenticationManagerStandard.java | 4 ++ .../authentication/standard/Authenticator.java | 1 + .../standard/AuthenticatorAbstract.java | 6 +++ .../shiro/ShiroAuthenticatorOrAuthorizor.java | 50 +++++++++++++------- .../resources/UserResourceServerside.java | 2 +- .../wicket/AuthenticatedWebSessionForIsis.java | 4 ++ 6 files changed, 50 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticationManagerStandard.java ---------------------------------------------------------------------- diff --git a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticationManagerStandard.java b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticationManagerStandard.java index fac9953..3540ce0 100644 --- a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticationManagerStandard.java +++ b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticationManagerStandard.java @@ -136,6 +136,10 @@ public class AuthenticationManagerStandard implements AuthenticationManager { @Programmatic @Override public void closeSession(final AuthenticationSession session) { + List<Authenticator> authenticators = getAuthenticators(); + for (Authenticator authenticator : authenticators) { + authenticator.logout(session); + } userByValidationCode.remove(session.getValidationCode()); } http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/Authenticator.java ---------------------------------------------------------------------- diff --git a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/Authenticator.java b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/Authenticator.java index a9e113d..9dcd002 100644 --- a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/Authenticator.java +++ b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/Authenticator.java @@ -44,4 +44,5 @@ public interface Authenticator extends ApplicationScopedComponent { */ AuthenticationSession authenticate(AuthenticationRequest request, String code); + void logout(AuthenticationSession session); } http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticatorAbstract.java ---------------------------------------------------------------------- diff --git a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticatorAbstract.java b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticatorAbstract.java index 5268472..a6a275d 100644 --- a/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticatorAbstract.java +++ b/core/metamodel/src/main/java/org/apache/isis/core/runtime/authentication/standard/AuthenticatorAbstract.java @@ -85,6 +85,12 @@ public abstract class AuthenticatorAbstract implements Authenticator { */ protected abstract boolean isValid(AuthenticationRequest request); + @Override + public void logout(final AuthenticationSession session) { + // no-op + } + + //endregion //region > Injected (via constructor) http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/security-shiro/src/main/java/org/apache/isis/security/shiro/ShiroAuthenticatorOrAuthorizor.java ---------------------------------------------------------------------- diff --git a/core/security-shiro/src/main/java/org/apache/isis/security/shiro/ShiroAuthenticatorOrAuthorizor.java b/core/security-shiro/src/main/java/org/apache/isis/security/shiro/ShiroAuthenticatorOrAuthorizor.java index b981e7c..c0c05e2 100644 --- a/core/security-shiro/src/main/java/org/apache/isis/security/shiro/ShiroAuthenticatorOrAuthorizor.java +++ b/core/security-shiro/src/main/java/org/apache/isis/security/shiro/ShiroAuthenticatorOrAuthorizor.java @@ -18,7 +18,33 @@ */ package org.apache.isis.security.shiro; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Set; + import com.google.common.collect.Lists; + +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.UnavailableSecurityManagerException; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.authc.CredentialsException; +import org.apache.shiro.authc.ExcessiveAttemptsException; +import org.apache.shiro.authc.IncorrectCredentialsException; +import org.apache.shiro.authc.LockedAccountException; +import org.apache.shiro.authc.UnknownAccountException; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.mgt.RealmSecurityManager; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.realm.Realm; +import org.apache.shiro.subject.PrincipalCollection; +import org.apache.shiro.subject.Subject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import org.apache.isis.applib.Identifier; import org.apache.isis.core.commons.authentication.AuthenticationSession; import org.apache.isis.core.commons.config.IsisConfiguration; @@ -31,22 +57,6 @@ import org.apache.isis.core.runtime.authentication.standard.SimpleSession; import org.apache.isis.core.runtime.authorization.AuthorizationManagerInstaller; import org.apache.isis.core.runtime.authorization.standard.Authorizor; import org.apache.isis.security.shiro.authorization.IsisPermission; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.UnavailableSecurityManagerException; -import org.apache.shiro.authc.*; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.mgt.RealmSecurityManager; -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.realm.Realm; -import org.apache.shiro.subject.PrincipalCollection; -import org.apache.shiro.subject.Subject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.Collection; -import java.util.Collections; -import java.util.List; -import java.util.Set; /** * If Shiro is configured for both {@link AuthenticationManagerInstaller authentication} and @@ -162,6 +172,14 @@ public class ShiroAuthenticatorOrAuthorizor implements Authenticator, Authorizor return authenticationSessionFor(request, code, token, currentSubject); } + @Override + public void logout(final AuthenticationSession session) { + Subject currentSubject = SecurityUtils.getSubject(); + if(currentSubject.isAuthenticated()) { + currentSubject.logout(); + } + } + AuthenticationSession authenticationSessionFor(AuthenticationRequest request, String code, AuthenticationToken token, Subject currentSubject) { List<String> roles = getRoles(currentSubject, token); // copy over any roles passed in http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/resources/UserResourceServerside.java ---------------------------------------------------------------------- diff --git a/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/resources/UserResourceServerside.java b/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/resources/UserResourceServerside.java index 32f7c41..2ad47bd 100644 --- a/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/resources/UserResourceServerside.java +++ b/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/resources/UserResourceServerside.java @@ -80,9 +80,9 @@ public class UserResourceServerside extends ResourceAbstract implements UserReso renderer.includesSelf(); // we do the logout (removes this session from those valid) + // similar code in wicket viewer (AuthenticatedWebSessionForIsis#onInvalidate()) final AuthenticationSession authenticationSession = getResourceContext().getAuthenticationSession(); getAuthenticationManager().closeSession(authenticationSession); - getIsisSessionFactory().closeSession(); // we also redirect to home page with special query string; this allows the session filter http://git-wip-us.apache.org/repos/asf/isis/blob/f84d8665/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java ---------------------------------------------------------------------- diff --git a/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java b/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java index 4999571..16e4454 100644 --- a/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java +++ b/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java @@ -93,6 +93,10 @@ public class AuthenticatedWebSessionForIsis extends AuthenticatedWebSession impl userName = authenticationSession.getUserName(); } + // similar code in Restful Objects viewer (UserResourceServerside#logout) + getAuthenticationManager().closeSession(authenticationSession); + getIsisSessionFactory().closeSession(); + log(SessionLoggingService.Type.LOGOUT, userName, causedBy); }