implement ui client session id

This changeset introduces a client side session id, which is generated once by the client (ui: apiClient) and is send with each request to server. The server makes the session id available by the PrincipalCollection of the subject.
2025-11-12 16:35:45 +01:00 · 2019-11-13 14:03:48 +01:00
parent f0f134daeb
commit 42ab81cf50
16 changed files with 367 additions and 166 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java
@@ -56,7 +56,7 @@ import static com.google.common.base.Preconditions.checkArgument;
@Extension
 public class BearerRealm extends AuthenticatingRealm
 {
-  
+
  /** realm name */
  @VisibleForTesting
  static final String REALM = "BearerRealm";
@@ -104,6 +104,7 @@ public class BearerRealm extends AuthenticatingRealm
    return helper.authenticationInfoBuilder(accessToken.getSubject())
      .withCredentials(bt.getCredentials())
      .withScope(Scopes.fromClaims(accessToken.getClaims()))
+      .withSessionId(bt.getPrincipal())
      .build();
  }

--- a/scm-webapp/src/main/java/sonia/scm/web/BearerWebTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/BearerWebTokenGenerator.java
@@ -44,7 +44,7 @@ import javax.servlet.http.HttpServletRequest;
 /**
 * Creates a {@link BearerToken} from an authorization header with
 * bearer authorization.
- * 
+ *
 * @author Sebastian Sdorra
 * @since 2.0.0
 */
@@ -53,7 +53,7 @@ public class BearerWebTokenGenerator extends SchemeBasedWebTokenGenerator
 {

  /**
-   * Creates a {@link BearerToken} from an authorization header 
+   * Creates a {@link BearerToken} from an authorization header
   * with bearer authorization.
   *
   * @param request http servlet request
@@ -70,7 +70,8 @@ public class BearerWebTokenGenerator extends SchemeBasedWebTokenGenerator

    if (HttpUtil.AUTHORIZATION_SCHEME_BEARER.equalsIgnoreCase(scheme))
    {
-      token = BearerToken.valueOf(authorization);
+      String sessionId = request.getHeader(HttpUtil.HEADER_SCM_SESSION);
+      token = BearerToken.create(sessionId, authorization);
    }

    return token;
--- a/scm-webapp/src/main/java/sonia/scm/web/CookieBearerWebTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/CookieBearerWebTokenGenerator.java
@@ -43,7 +43,7 @@ import javax.servlet.http.HttpServletRequest;
 import sonia.scm.util.HttpUtil;

 /**
- * Creates an {@link BearerToken} from the {@link #COOKIE_NAME} 
+ * Creates an {@link BearerToken} from the {@link HttpUtil#COOKIE_BEARER_AUTHENTICATION}
 * cookie.
 *
 * @author Sebastian Sdorra
@@ -54,7 +54,7 @@ public class CookieBearerWebTokenGenerator implements WebTokenGenerator
 {

  /**
-   * Creates an {@link BearerToken} from the {@link #COOKIE_NAME} 
+   * Creates an {@link BearerToken} from the {@link HttpUtil#COOKIE_BEARER_AUTHENTICATION}
   * cookie.
   *
   * @param request http servlet request
@@ -73,7 +73,8 @@ public class CookieBearerWebTokenGenerator implements WebTokenGenerator
      {
        if (HttpUtil.COOKIE_BEARER_AUTHENTICATION.equals(cookie.getName()))
        {
-          token = BearerToken.valueOf(cookie.getValue());
+          String sessionId = HttpUtil.getHeader(request, HttpUtil.HEADER_SCM_SESSION, null);
+          token = BearerToken.create(sessionId, cookie.getValue());

          break;
        }
--- a/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java
@@ -177,45 +177,26 @@ public class DefaultAdministrationContext implements AdministrationContext
    //J+
  }

-  /**
-   * Method description
-   *
-   *
-   * @param action
-   */
-  private void doRunAsInNonWebSessionContext(PrivilegedAction action)
-  {
-    if (logger.isTraceEnabled())
-    {
-      logger.trace("bind shiro security manager to current thread");
-    }
+  private void doRunAsInNonWebSessionContext(PrivilegedAction action) {
+    logger.trace("bind shiro security manager to current thread");

-    try
-    {
+    try {
      SecurityUtils.setSecurityManager(securityManager);

      Subject subject = createAdminSubject();
      ThreadState state = new SubjectThreadState(subject);

      state.bind();
-
      try
      {
-        if (logger.isInfoEnabled())
-        {
-          logger.info("execute action {} in administration context",
-            action.getClass().getName());
-        }
+        logger.info("execute action {} in administration context", action.getClass().getName());

        action.run();
+      } finally {
+        logger.trace("restore current thread state");
+        state.restore();
      }
-      finally
-      {
-        state.clear();
-      }
-    }
-    finally
-    {
+    } finally {
      SecurityUtils.setSecurityManager(null);
    }
  }