Refactoring, moved session state management classes to web/sessionstate package

Added tests for session state management Removed NYI from post logout uri registrations in client

Author: jansinger

openid-connect-server-webapp/pom.xml

@@ -147,6 +147,21 @@
 <groupId>com.zaxxer</groupId>
 <artifactId>HikariCP</artifactId>
 </dependency>
+
+<!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
+<dependency>
+<groupId>javax.servlet</groupId>
+<artifactId>javax.servlet-api</artifactId>
+<version>3.1.0</version>
+<scope>test</scope>
+</dependency>
+
+<dependency>
+<groupId>org.springframework.security</groupId>
+<artifactId>spring-security-test</artifactId>
+<scope>test</scope>
+</dependency>
+
 </dependencies>
 <description>Deployable package of the OpenID Connect server</description>
 </project>

openid-connect-server-webapp/src/main/test/java/org/mitre/openid/connect/web/sessionstate/SessionStateManagementControllerTest.java

@@ -0,0 +1,149 @@
+package org.mitre.openid.connect.web.sessionstate;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
+import org.mitre.openid.connect.view.JsonEntityView;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpSession;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.logout;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
+
+@WebAppConfiguration
+@ContextConfiguration("file:src/main/webapp/WEB-INF/application-context.xml")
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SessionStateManagementControllerTest {
+
+@Autowired
+private WebApplicationContext wac;
+
+@Autowired
+private ConfigurationPropertiesBean config;
+
+private MockMvc mockMvc;
+
+@Before
+public void setUp() {
+this.mockMvc = MockMvcBuilders
+.webAppContextSetup(this.wac)
+.apply(springSecurity())
+.build();
+}
+
+@Test
+public void showCheckSession() throws Exception {
+mockMvc.perform(get("/" + SessionStateManagementController.FRAME_URL))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(SessionStateManagementController.URL))
+;
+}
+
+@Test
+public void doCheckSession() throws Exception {
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"unchanged\""));
+
+// Login to get a session
+MvcResult mvcResult = mockMvc.perform(formLogin("/login").user("user").password("password"))
+.andDo(print())
+.andExpect(status().is(HttpStatus.FOUND.value()))
+.andExpect(redirectedUrl("/"))
+.andExpect(cookie().exists(config.getSessionStateCookieName()))
+.andReturn();
+
+HttpSession session = mvcResult.getRequest().getSession();
+Cookie opssCookie = mvcResult.getResponse().getCookie(config.getSessionStateCookieName());
+
+// Should respond unchanged
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.session((MockHttpSession)session).cookie(opssCookie))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"unchanged\""));
+
+// No Session -> respond with "changed"
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.cookie(opssCookie))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"changed\""));
+
+// No Cookie -> respond with changed
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.session((MockHttpSession)session))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"changed\""));
+
+String tmpVal = opssCookie.getValue();
+// Changed cookie value -> changed
+opssCookie.setValue("_invalid_");
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.session((MockHttpSession)session).cookie(opssCookie))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"changed\""));
+
+// restore cookie value
+opssCookie.setValue(tmpVal);
+
+// Should respond unchanged, just to be sure...
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.session((MockHttpSession)session).cookie(opssCookie))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"unchanged\""));
+
+// Logut to finish the session
+HttpSession session1 = mockMvc.perform(logout())
+.andDo(print())
+.andExpect(status().is(HttpStatus.FOUND.value()))
+.andExpect(redirectedUrl("/"))
+// expect the session state cookie to be deleted
+.andExpect(cookie().exists(config.getSessionStateCookieName()))
+.andExpect(cookie().maxAge(config.getSessionStateCookieName(), 0))
+.andExpect(cookie().value(config.getSessionStateCookieName(), ""))
+.andReturn()
+.getRequest()
+.getSession();
+
+mockMvc.perform(get("/" + SessionStateManagementController.VALIDATION_URL)
+.session((MockHttpSession)session1).cookie(opssCookie))
+.andDo(print())
+.andExpect(status().isOk())
+.andExpect(view().name(JsonEntityView.VIEWNAME))
+.andExpect(content().string("\"changed\""));
+
+}
+
+}

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -83,7 +83,7 @@
 <mvc:interceptor>
 <mvc:mapping path="/authorize"/>
 <!-- Inject the session state into the response -->
-<bean id="sessionStateAuthorizationInterceptor" class="org.mitre.openid.connect.web.SessionStateAuthorizationInterceptor" />
+<bean id="sessionStateAuthorizationInterceptor" class="org.mitre.openid.connect.web.sessionstate.SessionStateAuthorizationInterceptor" />
 </mvc:interceptor>
 </mvc:interceptors>
 
@@ -215,11 +215,11 @@
 <security:csrf disabled="true"/>
 </security:http>
 
-<security:http pattern="/#{T(org.mitre.openid.connect.web.SessionStateManagementController).URL}**"
+<security:http pattern="/#{T(org.mitre.openid.connect.web.sessionstate.SessionStateManagementController).URL}**"
  create-session="always"
  use-expressions="true"
  entry-point-ref="http403EntryPoint" >
-<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.SessionStateManagementController).URL}**" access="permitAll"/>
+<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.sessionstate.SessionStateManagementController).URL}**" access="permitAll"/>
 <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 <security:csrf disabled="true"/>
 <security:headers disabled="false">

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/sessionState.jsp

@@ -1,5 +1,5 @@
 <%@ page contentType="text/html;charset=UTF-8" %>
-<%@ page import="org.mitre.openid.connect.web.SessionStateManagementController" %>
+<%@ page import="org.mitre.openid.connect.web.sessionstate.SessionStateManagementController" %>
 <!DOCTYPE html>
 <html>
 <head>

openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html

@@ -565,7 +565,7 @@ <h1 data-i18n="client.client-form.edit"></h1>
  </div>
 
 <div class="control-group" id="postLogoutRedirectUris">
- <label class="control-label"><span class="label label-default nyi"><i class="icon-road icon-white"></i> NYI </span> <span data-i18n="client.client-form.post-logout">Post-Logout Redirect</span></label>
+ <label class="control-label"><span data-i18n="client.client-form.post-logout">Post-Logout Redirect</span></label>
  <div class="controls">
  </div>
 </div>

openid-connect-server/pom.xml

@@ -72,6 +72,13 @@
 <artifactId>org.eclipse.persistence.jpa</artifactId>
 <scope>test</scope>
 </dependency>
+<!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
+<dependency>
+<groupId>javax.servlet</groupId>
+<artifactId>javax.servlet-api</artifactId>
+<version>3.1.0</version>
+<scope>test</scope>
+</dependency>
 
 <dependency>
 <groupId>org.apache.commons</groupId>

openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java

@@ -38,7 +38,7 @@
 import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint;
 import org.mitre.openid.connect.web.EndSessionEndpoint;
 import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
-import org.mitre.openid.connect.web.SessionStateManagementController;
+import org.mitre.openid.connect.web.sessionstate.SessionStateManagementController;
 import org.mitre.openid.connect.web.UserInfoEndpoint;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -386,6 +386,7 @@ OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values
 
 m.put("device_authorization_endpoint", baseUrl + DeviceEndpoint.URL);
 
+// Session management endpoints as defined in the specification
 if (config.isSessionStateEnabled()) {
 m.put("check_session_iframe", baseUrl + SessionStateManagementController.FRAME_URL);
 m.put("end_session_endpoint", baseUrl + EndSessionEndpoint.URL);

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/SessionStateManagementFilter.java

@@ -1,6 +1,6 @@
 package org.mitre.openid.connect.filter;
 
-import org.mitre.openid.connect.session.SessionStateManagementService;
+import org.mitre.openid.connect.web.sessionstate.SessionStateManagementService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -11,22 +11,42 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
+/**
+ * Filter to check session state on each request.
+ *
+ * Checks if the session state has changed (e.g. the session has timed out) and
+ * writes a new session state cookie of needed.
+ *
+ * @author jsinger
+ */
+
 @Component("sessionStateManagementFilter")
 public class SessionStateManagementFilter extends OncePerRequestFilter {
 
+// the session state management service to be used
 private final SessionStateManagementService sessionStateManagementService;
 
+/**
+ * Constructor for the filter
+ *
+ * @param sessionStateManagementService the session state management service to be used
+ */
 @Autowired
 public SessionStateManagementFilter(SessionStateManagementService sessionStateManagementService) {
 this.sessionStateManagementService = sessionStateManagementService;
 }
 
+/**
+ * This {@code doFilterInternal} implementation checks if the session state is changed
+ * and writes a new session state cookie if needed.
+ *
+ */
 @Override
 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
 
 if (sessionStateManagementService.isSessionStateChanged(request)) {
-// Session state changed, write a new session state cookie
-sessionStateManagementService.processSessionStateCookie(request, response, request.getSession(false));
+// Session state changed, write a new session state cookie, try to restore the session value
+sessionStateManagementService.writeSessionStateCookie(request, response, request.getSession(false), false);
 }
 filterChain.doFilter(request, response);
 }

openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java

@@ -29,7 +29,7 @@
 import javax.servlet.http.HttpSession;
 
 import org.mitre.openid.connect.filter.AuthorizationRequestFilter;
-import org.mitre.openid.connect.session.SessionStateManagementService;
+import org.mitre.openid.connect.web.sessionstate.SessionStateManagementService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -81,7 +81,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 }
 
 // Set additional session state cookie for tracking session changes with session management extensions
-sessionStateManagementService.processSessionStateCookie(request, response, session);
+sessionStateManagementService.writeSessionStateCookie(request, response, session);
 
 logger.info("Successful Authentication of " + authentication.getName() + " at " + authTimestamp.toString());
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/SessionStateAuthorizationInterceptor.java renamed to openid-connect-server/src/main/java/org/mitre/openid/connect/web/sessionstate/SessionStateAuthorizationInterceptor.java

@@ -1,6 +1,6 @@
-package org.mitre.openid.connect.web;
+package org.mitre.openid.connect.web.sessionstate;
 
-import org.mitre.openid.connect.session.SessionStateManagementService;
+import com.google.common.base.Strings;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.util.MultiValueMap;
@@ -12,31 +12,66 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+/**
+ * Interceptor to append the session state parameter to an
+ * successful authorization response.
+ *
+ * Should be applied to the authorization url only.
+ *
+ * @author jsinger
+ */
 public class SessionStateAuthorizationInterceptor extends HandlerInterceptorAdapter {
 
+// The session state management service to use
 private final SessionStateManagementService sessionStateManagementService;
 
+/**
+ * Constructor for the session state management interceptor
+ *
+ * @param sessionStateManagementService The session state management service to use
+ */
 @Autowired
 public SessionStateAuthorizationInterceptor(SessionStateManagementService sessionStateManagementService) {
 this.sessionStateManagementService = sessionStateManagementService;
 }
 
+/**
+ * Add session state parameter to successful authorization response.
+ *
+ * Checks if the authorization request has generated a successful
+ * response containing the "code" parameter in the redirect url and
+ * adds the session state parameter accordingly.
+ *
+ * @param request The http request
+ * @param response The http response
+ * @param handler The servlet handler
+ * @param modelAndView The returned ModelAndView
+ * @throws Exception if any exception occurs
+ */
 @Override
 public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
-// Only on redirects...
+// Apply only on redirects
 if (sessionStateManagementService.isEnabled() && modelAndView != null && (modelAndView.getView() instanceof RedirectView)) {
-// Parse the returned url
+// Parse the redirect  url
 RedirectView view = (RedirectView) modelAndView.getView();
 UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(view.getUrl());
 MultiValueMap<String, String> parameters = uriComponentsBuilder.build().getQueryParams();
-// Only if a code or token is returned
-if (parameters.containsKey("code") || parameters.containsKey("access_token")) {
+String fragment = Strings.nullToEmpty(uriComponentsBuilder.build().getFragment());
+// Only if a code or an access token is returned
+if (parameters.containsKey("code") ||fragment.contains("access_token")) {
 // get the current session state value
 String sessionState = sessionStateManagementService.getSessionState(request);
 if (sessionState != null) {
-// and append it to the query parameters
+// build the hash
 String stateParam = sessionStateManagementService.buildSessionStateParam(sessionState, request.getParameter(OAuth2Utils.CLIENT_ID), view.getUrl());
-uriComponentsBuilder.queryParam(SessionStateManagementService.SESSION_STATE_PARAM, stateParam);
+if (parameters.containsKey("code")) {
+// and append to the query string or ...
+uriComponentsBuilder.queryParam(SessionStateManagementService.SESSION_STATE_PARAM, stateParam);
+} else {
+// the fragment.
+uriComponentsBuilder.fragment(fragment + "&" + SessionStateManagementService.SESSION_STATE_PARAM + "=" + stateParam);
+}
+// set the new url as redirect url
 view.setUrl(uriComponentsBuilder.build().toUriString());
 }
 }