login cookie refactoring and setting

ldchrist · Dec 28, 2015 · 454da5f · 454da5f
1 parent 9c57ca2
commit 454da5f
Show file tree

Hide file tree

Showing 16 changed files with 195 additions and 113 deletions.
diff --git a/src/main/java/password/pwm/AppProperty.java b/src/main/java/password/pwm/AppProperty.java
@@ -80,8 +80,6 @@ public enum AppProperty {
     HTTP_COOKIE_MAX_READ_LENGTH                     ("http.cookie.maxReadLength"),
     HTTP_COOKIE_CAPTCHA_SKIP_NAME                   ("http.cookie.captchaSkip.name"),
     HTTP_COOKIE_CAPTCHA_SKIP_AGE                    ("http.cookie.captchaSkip.age"),
-    HTTP_COOKIE_INSTANCE_GUID_NAME                  ("http.cookie.instanceGUID.name"),
-    HTTP_COOKIE_INSTANCE_GUID_AGE                   ("http.cookie.instanceGUID.age"),
     HTTP_COOKIE_LOGIN_NAME                          ("http.cookie.login.name"),
     HTTP_BASIC_AUTH_CHARSET                         ("http.basicAuth.charset"),
     HTTP_BODY_MAXREAD_LENGTH                        ("http.body.maxReadLength"),

diff --git a/src/main/java/password/pwm/PwmApplication.java b/src/main/java/password/pwm/PwmApplication.java
@@ -54,10 +54,7 @@
 import password.pwm.svc.wordlist.SeedlistManager;
 import password.pwm.svc.wordlist.SharedHistoryManager;
 import password.pwm.svc.wordlist.WordlistManager;
-import password.pwm.util.FileSystemUtility;
-import password.pwm.util.Helper;
-import password.pwm.util.JsonUtil;
-import password.pwm.util.TimeDuration;
+import password.pwm.util.*;
 import password.pwm.util.db.DatabaseAccessorImpl;
 import password.pwm.util.localdb.LocalDB;
 import password.pwm.util.localdb.LocalDBFactory;
@@ -476,6 +473,10 @@ public CacheService getCacheService() {
         return (CacheService)pwmServiceManager.getService(CacheService.class);
     }
 
+    public LoginCookieManager getLoginCookieManager() {
+        return (LoginCookieManager)pwmServiceManager.getService(LoginCookieManager.class);
+    }
+
     public SecureService getSecureService() {
         return (SecureService)pwmServiceManager.getService(SecureService.class);
     }

diff --git a/src/main/java/password/pwm/config/PwmSetting.java b/src/main/java/password/pwm/config/PwmSetting.java
@@ -433,9 +433,21 @@ public enum PwmSetting {
             "password.policy.charGroup.regExValues", PwmSettingSyntax.STRING_ARRAY, PwmSettingCategory.PASSWORD_POLICY),
 
 
-    // security settings
+    // app security settings
     PWM_SECURITY_KEY(
             "pwm.securityKey", PwmSettingSyntax.PASSWORD, PwmSettingCategory.APP_SECURITY),
+    REVERSE_DNS_ENABLE(
+            "network.reverseDNS.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+    DISPLAY_SHOW_DETAILED_ERRORS(
+            "display.showDetailedErrors", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+    SESSION_MAX_SECONDS(
+            "session.maxSeconds", PwmSettingSyntax.DURATION, PwmSettingCategory.APP_SECURITY),
+    SECURITY_ENABLE_LOGIN_COOKIE(
+            "security.loginCookie.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
+
+
+
+    // web security
     SECURITY_ENABLE_REQUEST_SEQUENCE(
             "security.page.enableRequestSequence", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     SECURITY_ENABLE_FORM_NONCE(
@@ -450,8 +462,6 @@ public enum PwmSetting {
             "forceBasicAuth", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     USE_X_FORWARDED_FOR_HEADER(
             "useXForwardedForHeader", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
-    REVERSE_DNS_ENABLE(
-            "network.reverseDNS.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
     MULTI_IP_SESSION_ALLOWED(
             "network.allowMultiIPSession", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     REQUIRED_HEADERS(
@@ -460,10 +470,6 @@ public enum PwmSetting {
             "network.ip.permittedRange", PwmSettingSyntax.STRING_ARRAY, PwmSettingCategory.WEB_SECURITY),
     SECURITY_PAGE_LEAVE_NOTICE_TIMEOUT(
             "security.page.leaveNoticeTimeout", PwmSettingSyntax.NUMERIC, PwmSettingCategory.WEB_SECURITY),
-    DISPLAY_SHOW_DETAILED_ERRORS(
-            "display.showDetailedErrors", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.APP_SECURITY),
-    SESSION_MAX_SECONDS(
-            "session.maxSeconds", PwmSettingSyntax.DURATION, PwmSettingCategory.APP_SECURITY),
     SECURITY_PREVENT_FRAMING(
             "security.preventFraming", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     SECURITY_REDIRECT_WHITELIST(

diff --git a/src/main/java/password/pwm/http/PwmRequest.java b/src/main/java/password/pwm/http/PwmRequest.java
@@ -25,7 +25,6 @@
 import org.apache.commons.fileupload.FileItemIterator;
 import org.apache.commons.fileupload.FileItemStream;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
-import password.pwm.AppProperty;
 import password.pwm.PwmApplication;
 import password.pwm.PwmConstants;
 import password.pwm.Validator;
@@ -114,7 +113,6 @@ private PwmRequest(
         this.pwmSession = pwmSession;
         this.pwmApplication = pwmApplication;
         this.cspNonce = PwmRandom.getInstance().alphaNumericString(10);
-        checkRequestInstanceNonce();
     }
 
     public PwmApplication getPwmApplication()
@@ -588,12 +586,4 @@ public String getURLwithoutQueryString() throws PwmUnrecoverableException {
         final HttpServletRequest req = this.getHttpServletRequest();
         return req.getRequestURI();
     }
-
-    private void checkRequestInstanceNonce() {
-        final String cookieName = getConfig().readAppProperty(AppProperty.HTTP_COOKIE_INSTANCE_GUID_NAME);
-        final String cookieValue = readCookie(cookieName);
-        if (cookieValue != null && !cookieValue.equals(getPwmApplication().getInstanceNonce())) {
-            LOGGER.warn(this, "request was generated by client communicating with a foreign server instance");
-        }
-    }
 }
diff --git a/src/main/java/password/pwm/http/PwmSession.java b/src/main/java/password/pwm/http/PwmSession.java
@@ -39,7 +39,6 @@
 import password.pwm.svc.stats.StatisticsManager;
 import password.pwm.util.JsonUtil;
 import password.pwm.util.LocaleHelper;
-import password.pwm.util.LoginCookieManager;
 import password.pwm.util.TimeDuration;
 import password.pwm.util.logging.PwmLogger;
 import password.pwm.util.secure.PwmRandom;
@@ -219,7 +218,7 @@ public void unauthenticateUser(final PwmRequest pwmRequest) {
 
         if (pwmRequest != null) {
             try {
-                LoginCookieManager.clearLoginCookie(pwmRequest);
+                pwmRequest.getPwmApplication().getLoginCookieManager().clearLoginCookie(pwmRequest);
             } catch (PwmUnrecoverableException e) {
                 final String errorMsg = "unexpected error writing removing login cookie from response: " + e.getMessage();
                 final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN,errorMsg);

diff --git a/src/main/java/password/pwm/http/ServletHelper.java b/src/main/java/password/pwm/http/ServletHelper.java
@@ -157,17 +157,6 @@ public static void addPwmResponseHeaders(
                 }
             }
 
-            final String instanceCookieName = pwmApplication.getConfig().readAppProperty(AppProperty.HTTP_COOKIE_INSTANCE_GUID_NAME);
-            if (instanceCookieName != null && instanceCookieName.length() > 0) {
-                resp.writeCookie(
-                        instanceCookieName,
-                        pwmApplication.getInstanceNonce(),
-                        Integer.parseInt(pwmApplication.getConfig().readAppProperty(AppProperty.HTTP_COOKIE_INSTANCE_GUID_AGE)),
-                        PwmHttpResponseWrapper.CookiePath.Application
-                );
-
-            }
-
             resp.setHeader(PwmConstants.HttpHeader.Server, null);
         }
     }

diff --git a/src/main/java/password/pwm/http/filter/AuthenticationFilter.java b/src/main/java/password/pwm/http/filter/AuthenticationFilter.java
@@ -49,7 +49,6 @@
 import password.pwm.util.BasicAuthInfo;
 import password.pwm.util.CASAuthenticationHelper;
 import password.pwm.util.LocaleHelper;
-import password.pwm.util.LoginCookieManager;
 import password.pwm.util.logging.PwmLogger;
 
 import javax.servlet.ServletException;
@@ -161,7 +160,7 @@ private void processAuthenticatedSession(
 
         // output the login cookie
         try {
-            LoginCookieManager.writeLoginCookieToResponse(pwmRequest);
+            pwmApplication.getLoginCookieManager().writeLoginCookieToResponse(pwmRequest);
         } catch (PwmUnrecoverableException e) {
             final String errorMsg = "unexpected error writing login cookie to response: " + e.getMessage();
             final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN,errorMsg);
@@ -578,7 +577,7 @@ public void attemptAuthentication(
         )
                 throws PwmUnrecoverableException, IOException
         {
-            LoginCookieManager.readLoginInfoCookie(pwmRequest);
+            pwmRequest.getPwmApplication().getLoginCookieManager().readLoginInfoCookie(pwmRequest);
         }
 
         @Override

diff --git a/src/main/java/password/pwm/http/servlet/LoginServlet.java b/src/main/java/password/pwm/http/servlet/LoginServlet.java
@@ -34,7 +34,6 @@
 import password.pwm.ldap.auth.AuthenticationType;
 import password.pwm.ldap.auth.PwmAuthenticationSource;
 import password.pwm.ldap.auth.SessionAuthenticator;
-import password.pwm.util.LoginCookieManager;
 import password.pwm.util.PasswordData;
 import password.pwm.util.logging.PwmLogger;
 import password.pwm.ws.server.RestResultBean;
@@ -217,8 +216,7 @@ private void handleLoginRequest(
         // recycle the session to prevent session fixation attack.
         pwmRequest.getPwmSession().getSessionStateBean().setSessionIdRecycleNeeded(true);
 
-        LoginCookieManager.writeLoginCookieToResponse(pwmRequest);
-
+        pwmRequest.getPwmApplication().getLoginCookieManager().writeLoginCookieToResponse(pwmRequest);
     }
 
     private void forwardToJSP(

diff --git a/src/main/java/password/pwm/svc/PwmServiceManager.java b/src/main/java/password/pwm/svc/PwmServiceManager.java
@@ -20,6 +20,7 @@
 import password.pwm.svc.wordlist.SeedlistManager;
 import password.pwm.svc.wordlist.SharedHistoryManager;
 import password.pwm.svc.wordlist.WordlistManager;
+import password.pwm.util.LoginCookieManager;
 import password.pwm.util.TimeDuration;
 import password.pwm.util.db.DatabaseAccessorImpl;
 import password.pwm.util.logging.PwmLogger;
@@ -62,6 +63,7 @@ public enum PwmServiceClassEnum {
         CacheService(           CacheService.class,              true),
         ResourceServletService( ResourceServletService.class,    false),
         SessionTrackService(    SessionTrackService.class,       false),
+        LoginCookieService(     LoginCookieManager.class,        false),
 
         ;
 

diff --git a/src/main/java/password/pwm/svc/sessiontrack/SessionTrackService.java b/src/main/java/password/pwm/svc/sessiontrack/SessionTrackService.java
@@ -151,7 +151,6 @@ public Collection<SessionStateInfoBean> getSessionList(final int maximumResults)
 
     private static SessionStateInfoBean infoBeanFromPwmSession(final PwmSession loopSession) {
         final SessionStateBean loopSsBean = loopSession.getSessionStateBean();
-        final UserInfoBean loopUiBean =loopSession.getUserInfoBean();
 
         final SessionStateInfoBean sessionStateInfoBean = new SessionStateInfoBean();
 
@@ -160,14 +159,18 @@ private static SessionStateInfoBean infoBeanFromPwmSession(final PwmSession loop
         sessionStateInfoBean.setLastTime(loopSession.getSessionStateBean().getSessionLastAccessedTime());
         sessionStateInfoBean.setIdle(loopSession.getIdleTime().asCompactString());
         sessionStateInfoBean.setLocale(loopSsBean.getLocale() == null ? null : loopSsBean.getLocale());
-        sessionStateInfoBean.setLdapProfile(loopSsBean.isAuthenticated() ? loopUiBean.getUserIdentity().getLdapProfileID() : "");
-        sessionStateInfoBean.setUserDN(loopSsBean.isAuthenticated() ? loopUiBean.getUserIdentity().getUserDN() : "");
-        sessionStateInfoBean.setUserID(loopSsBean.isAuthenticated() ? loopUiBean.getUsername() : "");
         sessionStateInfoBean.setSrcAddress(loopSsBean.getSrcAddress());
         sessionStateInfoBean.setSrcHost(loopSsBean.getSrcHostname());
         sessionStateInfoBean.setLastUrl(loopSsBean.getLastRequestURL());
         sessionStateInfoBean.setIntruderAttempts(loopSsBean.getIntruderAttempts());
 
+        if (loopSession.isAuthenticated()) {
+            final UserInfoBean loopUiBean = loopSession.getUserInfoBean();
+            sessionStateInfoBean.setLdapProfile(loopSsBean.isAuthenticated() ? loopUiBean.getUserIdentity().getLdapProfileID() : "");
+            sessionStateInfoBean.setUserDN(loopSsBean.isAuthenticated() ? loopUiBean.getUserIdentity().getUserDN() : "");
+            sessionStateInfoBean.setUserID(loopSsBean.isAuthenticated() ? loopUiBean.getUsername() : "");
+        }
+
         return sessionStateInfoBean;
     }
 

diff --git a/src/main/java/password/pwm/svc/stats/Statistic.java b/src/main/java/password/pwm/svc/stats/Statistic.java
@@ -99,6 +99,7 @@ public enum Statistic {
     REST_STATISTICS                     (Type.INCREMENTOR, "RestStatistics", null),
     REST_VERIFYCHALLENGES               (Type.INCREMENTOR, "RestVerifyChallenges", null),
     INTRUDER_ATTEMPTS                   (Type.INCREMENTOR, "IntruderAttempts", null),
+    FOREIGN_SESSIONS_ACCEPTED           (Type.INCREMENTOR, "ForeignSessionsAccepted", null),
 
     AVG_PASSWORD_SYNC_TIME              (Type.AVERAGE, "AvgPasswordSyncTime", null),
     AVG_AUTHENTICATION_TIME             (Type.AVERAGE, "AvgAuthenticationTime", null),