Fix authentication none with new session services

- ensure cookie is created for sessions
- fix code that relied on the name of the cookie (which doesn't work in
  the case of using Spring Redis for sessions)
- fix active/logged in user metric when using authentication none

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -38,6 +38,7 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -181,7 +182,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 			auth.configureHttpSecurity(http, anyRequestConfigurer);
 		}
 
-
+		// create session cookie even if there is no Authentication in order to support the None authentication backend
+		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
 	}
 
 	@Bean

src/main/java/eu/openanalytics/containerproxy/service/UserService.java

@@ -165,7 +165,7 @@ private String getUserId(Authentication auth) {
 		if (auth == null) return null;
 		if (auth instanceof AnonymousAuthenticationToken) {
 			// Anonymous authentication: use the session id instead of the user name.
-			return SessionHelper.getCurrentSessionId(true);
+			return RequestContextHolder.currentRequestAttributes().getSessionId();
 		}
 		return auth.getName();
 	}

src/main/java/eu/openanalytics/containerproxy/service/session/AbstractSessionService.java

@@ -0,0 +1,54 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.service.session;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.auth.impl.NoAuthenticationBackend;
+import org.springframework.context.annotation.Lazy;
+import org.springframework.security.core.Authentication;
+
+import javax.inject.Inject;
+
+abstract public class AbstractSessionService implements ISessionService {
+
+    @Inject
+    @Lazy
+    // Note: lazy needed to work around early initialization conflict
+    // Only used to check whether we are using Authentication none
+    private IAuthenticationBackend authBackend;
+
+    protected String extractAuthName(Authentication authentication, String sessionId) {
+        if (authentication != null && !authentication.isAuthenticated()) {
+            return null;
+        }
+
+        if (authentication != null) {
+            return authentication.getName();
+        }
+
+        if (authBackend.getName().equals(NoAuthenticationBackend.NAME)) {
+            return sessionId;
+        }
+
+        return null;
+    }
+
+}

src/main/java/eu/openanalytics/containerproxy/service/session/redis/RedisSessionService.java

@@ -22,6 +22,7 @@
 
 import eu.openanalytics.containerproxy.RedisSessionConfig;
 import eu.openanalytics.containerproxy.service.hearbeat.HeartbeatService;
+import eu.openanalytics.containerproxy.service.session.AbstractSessionService;
 import eu.openanalytics.containerproxy.service.session.ISessionService;
 import io.undertow.server.HttpServerExchange;
 import io.undertow.servlet.handlers.ServletRequestContext;
@@ -52,7 +53,7 @@
 
 @Component
 @ConditionalOnProperty(name = "spring.session.store-type", havingValue = "redis")
-public class RedisSessionService implements ISessionService {
+public class RedisSessionService extends AbstractSessionService {
 
     private static final Pattern SESSION_ID_PATTERN = Pattern.compile("^.*sessions:([a-z0-9-]*)$");
     private static final int CACHE_UPDATE_INTERVAL = 20 * 1000; // update cache every minutes
@@ -134,13 +135,13 @@ private void updateCachedUsersLoggedInCount() {
             Session session = redisIndexedSessionRepository.findById(sessionId);
             if (session == null) continue;
 
-            Authentication authentication = extractAuthenticationIfAuthenticated(session);
-            if (authentication == null) continue;
+            String authenticationName = extractAuthName(extractAuthenticationIfAuthenticated(session), sessionId);
+            if (authenticationName == null) continue;
 
-            authenticatedUsers.add(authentication.getName());
+            authenticatedUsers.add(authenticationName);
 
             if (session.getLastAccessedTime().isAfter(minimumInstantTime)) {
-                activeUsers.add(authentication.getName());
+                activeUsers.add(authenticationName);
             }
         }
 

src/main/java/eu/openanalytics/containerproxy/service/session/undertow/UndertowSessionService.java

@@ -20,7 +20,7 @@
  */
 package eu.openanalytics.containerproxy.service.session.undertow;
 
-import eu.openanalytics.containerproxy.service.session.ISessionService;
+import eu.openanalytics.containerproxy.service.session.AbstractSessionService;
 import io.undertow.server.HttpServerExchange;
 import io.undertow.server.session.InMemorySessionManager;
 import io.undertow.server.session.Session;
@@ -43,7 +43,7 @@
 
 @Component
 @ConditionalOnProperty(name = "spring.session.store-type", havingValue = "none")
-public class UndertowSessionService implements ISessionService {
+public class UndertowSessionService extends AbstractSessionService {
 
     private static final int CACHE_UPDATE_INTERVAL = 20 * 1000; // update cache every minutes
 
@@ -119,17 +119,17 @@ private void updateCachedUsersLoggedInCount() {
         Set<String> authenticatedUsers = new HashSet<>();
         Set<String> activeUsers = new HashSet<>();
 
-        for (String sessionId: instance.getAllSessions()) {
+        for (String sessionId : instance.getAllSessions()) {
             Session session = instance.getSession(sessionId);
             if (session == null) continue;
 
-            Authentication authentication = extractAuthenticationIfAuthenticated(session);
-            if (authentication == null) continue;
+            String authenticationName = extractAuthName(extractAuthenticationIfAuthenticated(session), sessionId);
+            if (authenticationName == null) continue;
 
-            authenticatedUsers.add(authentication.getName());
+            authenticatedUsers.add(authenticationName);
 
             if (Instant.ofEpochMilli(session.getLastAccessedTime()).isAfter(minimumInstantTime)) {
-                activeUsers.add(authentication.getName());
+                activeUsers.add(authenticationName);
             }
         }
 
@@ -142,23 +142,18 @@ private void updateCachedUsersLoggedInCount() {
 
     /**
      * Extracts the {@link Authentication} object from the given Session, if and only if the user is authenticated.
+     *
      * @param session the session
      * @return Authentication|null
      */
     private Authentication extractAuthenticationIfAuthenticated(Session session) {
         Object object = session.getAttribute("SPRING_SECURITY_CONTEXT");
 
         if (object instanceof SecurityContext) {
-            SecurityContext securityContext = (SecurityContext) object;
-
-            if (securityContext.getAuthentication().isAuthenticated()) {
-
-                return securityContext.getAuthentication();
-            }
+            return ((SecurityContext) object).getAuthentication();
         }
 
         return null;
     }
 
-
-}
+}

src/main/java/eu/openanalytics/containerproxy/util/SessionHelper.java

@@ -20,42 +20,10 @@
  */
 package eu.openanalytics.containerproxy.util;
 
-import java.util.Optional;
-
-import javax.servlet.http.HttpSession;
-
 import org.springframework.core.env.Environment;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
-import org.springframework.security.core.AuthenticatedPrincipal;
-import org.springframework.security.core.context.SecurityContext;
-
-import io.undertow.server.HttpServerExchange;
-import io.undertow.server.handlers.Cookie;
-import io.undertow.servlet.handlers.ServletRequestContext;
-import io.undertow.util.HeaderValues;
 
 public class SessionHelper {
 
-	/**
-	 * Looks up the session of the current servlet exchange, and return its ID.
-	 * 
-	 * @param createIfMissing True to create a session if no session is currently active.
-	 * @return The current session ID, or null if no session is active.
-	 */
-	public static String getCurrentSessionId(boolean createIfMissing) {
-		ServletRequestContext context = ServletRequestContext.current();
-		if (context == null) return null;
-		
-		HttpSession session = context.getSession();
-		if (session != null) return session.getId();
-		
-		Cookie jSessionIdCookie = context.getExchange().getRequestCookies().get("JSESSIONID");
-		if (jSessionIdCookie != null) return jSessionIdCookie.getValue();
-		
-		if (createIfMissing) return context.getCurrentServletContext().getSession(context.getExchange(), true).getId();
-		else return null;
-	}
-	
 	/**
 	 * Get the context path that has been configured for this instance.
 	 * 
@@ -72,65 +40,5 @@ public static String getContextPath(Environment environment, boolean endWithSlas
 
 		return contextPath;
 	}
-	
-	/**
-	 * Obtain information about the 'owner' of the current HTTP exchange.
-	 * This method will try to identify the owner, even if:
-	 * 
-	 *  <ul>
-	 *  <li>There is no servlet context</li>
-	 *  <li>There is no authentication backend (users are anonymous)</li>
-	 *  </ul>
-	 * 
-	 * @param exchange The current HTTP exchange.
-	 * @return An object containing information about the current user.
-	 */
-	public static SessionOwnerInfo createOwnerInfo(HttpServerExchange exchange) {
-		SessionOwnerInfo info = new SessionOwnerInfo();
-		
-		// Ideally, use the HTTP session information.
-		info.principal = Optional.ofNullable(ServletRequestContext.current())
-			.map(ctx -> ctx.getSession())
-			.map(session -> (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT"))
-			.map(ctx -> ctx.getAuthentication())
-			.filter(auth -> !AnonymousAuthenticationToken.class.isInstance(auth))
-			.map(auth -> auth.getPrincipal())
-			.orElse(null);
-		
-		// Fallback: use the Authorization header, if present.
-		HeaderValues authHeader = exchange.getRequestHeaders().get("Authorization");
-		if (authHeader != null) info.authHeader = authHeader.getFirst();
 
-		// Fallback: use the JSESSIONID cookie, if present.
-		Cookie jSessionIdCookie = exchange.getRequestCookies().get("JSESSIONID");
-		if (jSessionIdCookie != null) info.jSessionId = jSessionIdCookie.getValue();
-		
-		// Final fallback: generate a JSESSIONID for this exchange.
-		// Supports anonymous requests (i.e. authentication: 'none')
-		if (info.principal == null && info.authHeader == null && info.jSessionId == null) {
-			info.jSessionId = getCurrentSessionId(true);
-		}
-		
-		return info;
-	}
-	
-	public static class SessionOwnerInfo {
-		
-		public Object principal;
-		public String authHeader;
-		public String jSessionId;
-		
-		public boolean isSame(SessionOwnerInfo other) {
-			if (principal != null && other.principal != null) {
-				//TODO Probably, this check will have to be made dependent on the type of principal (LDAP vs OIDC etc)
-				if (principal instanceof AuthenticatedPrincipal && other.principal instanceof AuthenticatedPrincipal) {
-					return ((AuthenticatedPrincipal) principal).getName().equals(((AuthenticatedPrincipal) other.principal).getName());
-				}
-				return principal.equals(other.principal);
-			}
-			if (authHeader != null && other.authHeader != null) return authHeader.equals(other.authHeader);
-			if (jSessionId != null && other.jSessionId != null) return jSessionId.equals(other.jSessionId);
-			return false;
-		}
-	}
 }