From: maxcooper Date: Sat, 25 Oct 2003 10:49:03 +0000 (+0000) Subject: fixed bug #824791: Session not invalidated upon re-authentication X-Git-Tag: rel-2_0-alpha1~39 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b517a2e90998b7f94dcdbacd2fd2ce03931842a5;p=securityfilter.git fixed bug #824791: Session not invalidated upon re-authentication added test to make sure it stays fixed --- diff --git a/src/example/org/securityfilter/example/Constants.java b/src/example/org/securityfilter/example/Constants.java index 0fa4ebd..e3f6f8c 100644 --- a/src/example/org/securityfilter/example/Constants.java +++ b/src/example/org/securityfilter/example/Constants.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/example/org/securityfilter/example/Constants.java,v 1.3 2003/06/14 14:10:42 maxcooper Exp $ - * $Revision: 1.3 $ - * $Date: 2003/06/14 14:10:42 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/example/org/securityfilter/example/Constants.java,v 1.4 2003/10/25 10:49:04 maxcooper Exp $ + * $Revision: 1.4 $ + * $Date: 2003/10/25 10:49:04 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -59,7 +59,7 @@ package org.securityfilter.example; * Constants - constants for the example applications to facilitate testing * * @author Max Cooper (max@maxcooper.com) - * @version $Revision: 1.3 $ $Date: 2003/06/14 14:10:42 $ + * @version $Revision: 1.4 $ $Date: 2003/10/25 10:49:04 $ */ public interface Constants { @@ -67,6 +67,8 @@ public interface Constants { public static final String COMMON_TITLE_BASE = "SecurityFilter Example Application: "; public static final String VALID_USERNAME = "username"; public static final String VALID_PASSWORD = "password"; + public static final String VALID_USERNAME2 = "username2"; + public static final String VALID_PASSWORD2 = "password2"; public static final String VALID_ROLE = "inthisrole"; // home page constants @@ -83,7 +85,9 @@ public interface Constants { // secure page constants public static final String SECURE_TITLE = COMMON_TITLE_BASE + "Secure Page"; - public static final String SECURE_POSTED_VALUE_ID = "postedValue"; + public static final String SECURE_POSTED_VALUE_FORM = "postedValueForm"; + public static final String SECURE_POSTED_VALUE_FIELD = "postedValue"; + public static final String SECURE_LAST_POSTED_VALUE_FIELD = "lastPostedValue"; // logout page constants public static final String LOGOUT_TITLE = COMMON_TITLE_BASE + "Logout"; diff --git a/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java b/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java index b7a98d6..eba0718 100644 --- a/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java +++ b/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java,v 1.2 2003/06/14 14:39:03 maxcooper Exp $ - * $Revision: 1.2 $ - * $Date: 2003/06/14 14:39:03 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/example/org/securityfilter/example/realm/TrivialSecurityRealm.java,v 1.3 2003/10/25 10:49:04 maxcooper Exp $ + * $Revision: 1.3 $ + * $Date: 2003/10/25 10:49:04 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -65,7 +65,7 @@ import org.securityfilter.realm.SimpleSecurityRealmBase; * And this user is in one role: 'inthisrole' * * @author Max Cooper (max@maxcooper.com) - * @version $Revision: 1.2 $ $Date: 2003/06/14 14:39:03 $ + * @version $Revision: 1.3 $ $Date: 2003/10/25 10:49:04 $ */ public class TrivialSecurityRealm extends SimpleSecurityRealmBase { @@ -82,7 +82,10 @@ public class TrivialSecurityRealm extends SimpleSecurityRealmBase { * @return null if the user cannot be authenticated, otherwise a Pricipal object is returned */ public boolean booleanAuthenticate(String username, String password) { - return Constants.VALID_USERNAME.equals(username) && Constants.VALID_PASSWORD.equals(password); + return ( + (Constants.VALID_USERNAME.equals(username) && Constants.VALID_PASSWORD.equals(password)) + || (Constants.VALID_USERNAME2.equals(username) && Constants.VALID_PASSWORD2.equals(password)) + ); } /** @@ -95,7 +98,10 @@ public class TrivialSecurityRealm extends SimpleSecurityRealmBase { * @return true if the user is in the role, false otherwise */ public boolean isUserInRole(String username, String role) { - return Constants.VALID_USERNAME.equals(username) && Constants.VALID_ROLE.equals(role); + return ( + (Constants.VALID_USERNAME.equals(username) || Constants.VALID_USERNAME2.equals(username)) + && Constants.VALID_ROLE.equals(role) + ); } /** diff --git a/src/share/org/securityfilter/authenticator/FormAuthenticator.java b/src/share/org/securityfilter/authenticator/FormAuthenticator.java index 7b4204a..aa1fe2c 100644 --- a/src/share/org/securityfilter/authenticator/FormAuthenticator.java +++ b/src/share/org/securityfilter/authenticator/FormAuthenticator.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator/FormAuthenticator.java,v 1.1 2003/07/07 13:12:56 maxcooper Exp $ - * $Revision: 1.1 $ - * $Date: 2003/07/07 13:12:56 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator/FormAuthenticator.java,v 1.2 2003/10/25 10:49:03 maxcooper Exp $ + * $Revision: 1.2 $ + * $Date: 2003/10/25 10:49:03 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -68,7 +68,7 @@ import java.security.Principal; * FormAuthenticator - authenticator implementation for the FORM auth method. * * @author Max Cooper (max@maxcooper.com) - * @version $Revision: 1.1 $ $Date: 2003/07/07 13:12:56 $ + * @version $Revision: 1.2 $ $Date: 2003/10/25 10:49:03 $ */ public class FormAuthenticator implements Authenticator { @@ -144,9 +144,12 @@ public class FormAuthenticator implements Authenticator { Principal principal = realm.authenticate(username, password); if (principal != null) { // login successful - // invalidate old session if the user was already authenticated - // NOTE: we may want to check if the user re-authenticated as the same user, currently - // the session will be invalidated even if the user authenticates as the same user. + + // invalidate old session if the user was already authenticated, and they logged in as a different user + if (request.getUserPrincipal() != null && !username.equals(request.getRemoteUser())) { + request.getSession().invalidate(); + } + request.setUserPrincipal(principal); String continueToURL = getContinueToURL(request); // This is the url that the user was initially accessing before being prompted for login. diff --git a/src/test/org/securityfilter/test/http/form/PostMethodTest.java b/src/test/org/securityfilter/test/http/form/PostMethodTest.java index d259125..3f8d9c2 100644 --- a/src/test/org/securityfilter/test/http/form/PostMethodTest.java +++ b/src/test/org/securityfilter/test/http/form/PostMethodTest.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/PostMethodTest.java,v 1.3 2003/07/07 13:14:07 maxcooper Exp $ - * $Revision: 1.3 $ - * $Date: 2003/07/07 13:14:07 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/PostMethodTest.java,v 1.4 2003/10/25 10:49:03 maxcooper Exp $ + * $Revision: 1.4 $ + * $Date: 2003/10/25 10:49:03 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -60,10 +60,10 @@ import org.securityfilter.example.Constants; import org.securityfilter.test.http.TestBase; /** - * LogoutTest - tests the logout functionality. + * PostMethodTest - tests that POSTed parameters are maintained through an authentication sequence. * * @author Max Cooper (max@maxcooper.com) - * @version $Revision: 1.3 $ $Date: 2003/07/07 13:14:07 $ + * @version $Revision: 1.4 $ $Date: 2003/10/25 10:49:03 $ */ public class PostMethodTest extends TestBase { private static final String POST_VALUE = "it works!"; @@ -83,7 +83,7 @@ public class PostMethodTest extends TestBase { * @throws Exception */ public void testKeepPostedParametersThroughLogin() throws Exception { - // load the Home page to get the session manipulation form + // load the Home page to get the POST input form WebRequest request = new GetMethodWebRequest(baseUrl + "/index.jsp"); WebResponse response = session.getResponse(request); @@ -104,8 +104,9 @@ public class PostMethodTest extends TestBase { assertPageTitle(response, Constants.SECURE_TITLE); // make sure the item we submitted is present - TableCell postedValue = (TableCell) response.getElementWithID(Constants.SECURE_POSTED_VALUE_ID); + WebForm form = response.getFormWithName(Constants.SECURE_POSTED_VALUE_FORM); + String postedValue = form.getParameterValue(Constants.SECURE_POSTED_VALUE_FIELD); assertNotNull("POSTed parameter not found in reponse", postedValue); - assertEquals("POSTed parameter did not have the right value", postedValue.asText(), POST_VALUE); + assertEquals("POSTed parameter did not have the right value", postedValue, POST_VALUE); } } diff --git a/src/test/org/securityfilter/test/http/form/SessionInvalidationTest.java b/src/test/org/securityfilter/test/http/form/SessionInvalidationTest.java new file mode 100644 index 0000000..5512e8f --- /dev/null +++ b/src/test/org/securityfilter/test/http/form/SessionInvalidationTest.java @@ -0,0 +1,173 @@ +/* + * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/SessionInvalidationTest.java,v 1.1 2003/10/25 10:49:03 maxcooper Exp $ + * $Revision: 1.1 $ + * $Date: 2003/10/25 10:49:03 $ + * + * ==================================================================== + * The SecurityFilter Software License, Version 1.1 + * + * (this license is derived and fully compatible with the Apache Software + * License - see http://www.apache.org/LICENSE.txt) + * + * Copyright (c) 2002 SecurityFilter.org. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by + * SecurityFilter.org (http://www.securityfilter.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The name "SecurityFilter" must not be used to endorse or promote + * products derived from this software without prior written permission. + * For written permission, please contact license@securityfilter.org . + * + * 5. Products derived from this software may not be called "SecurityFilter", + * nor may "SecurityFilter" appear in their name, without prior written + * permission of SecurityFilter.org. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + */ + +package org.securityfilter.test.http.form; + +import com.meterware.httpunit.*; +import org.securityfilter.example.Constants; +import org.securityfilter.test.http.TestBase; + +/** + * SessionInvalidationTest - tests the logout functionality. + * + * @author Max Cooper (max@maxcooper.com) + * @version $Revision: 1.1 $ $Date: 2003/10/25 10:49:03 $ + */ +public class SessionInvalidationTest extends TestBase { + private static final String POST_VALUE_1 = "post1"; + private static final String POST_VALUE_2 = "post2"; + + /** + * Constructor + * + * @param name + */ + public SessionInvalidationTest(String name) { + super(name); + } + + /** + * Test that the session is kept if the user spontaneously logs in again with the same username. + * + * @throws Exception + */ + public void testKeepSessionForSameUser() throws Exception { + + // login + WebConversation session = new WebConversation(); + WebRequest request = new PostMethodWebRequest(baseUrl + "/j_security_check"); + request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); + request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); + WebResponse response = session.getResponse(request); + + // post the first value + request = new GetMethodWebRequest(baseUrl + "/index.jsp"); + response = session.getResponse(request); + WebForm sessionForm = response.getFormWithID(Constants.HOME_FORM_ID); + sessionForm.setParameter(Constants.HOME_POST_FIELD, POST_VALUE_1); + response = sessionForm.submit(); + + // login again as the same user in the same session + request = new PostMethodWebRequest(baseUrl + "/j_security_check"); + request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); + request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); + response = session.getResponse(request); + + // post the second value + request = new GetMethodWebRequest(baseUrl + "/index.jsp"); + response = session.getResponse(request); + sessionForm = response.getFormWithID(Constants.HOME_FORM_ID); + sessionForm.setParameter(Constants.HOME_POST_FIELD, POST_VALUE_2); + response = sessionForm.submit(); + + // make sure the response leads us to secure page + assertPageTitle(response, Constants.SECURE_TITLE); + + // ensure that both the first and second POSTed values appear on the secure page + WebForm form = response.getFormWithName(Constants.SECURE_POSTED_VALUE_FORM); + String firstPostedValue = form.getParameterValue(Constants.SECURE_LAST_POSTED_VALUE_FIELD); + assertNotNull("First POSTed parameter not found in reponse", firstPostedValue); + assertEquals("First POSTed parameter did not have the right value", firstPostedValue, POST_VALUE_1); + String secondPostedValue = form.getParameterValue(Constants.SECURE_POSTED_VALUE_FIELD); + assertNotNull("Second POSTed parameter not found in reponse", secondPostedValue); + assertEquals("Second POSTed parameter did not have the right value", secondPostedValue, POST_VALUE_2); + } + + /** + * Test that the session is invalidated if the user spontaneously logs in again with a different username. + * + * @throws Exception + */ + public void testInvaidateSessionForDifferentUser() throws Exception { + + // login + WebConversation session = new WebConversation(); + WebRequest request = new PostMethodWebRequest(baseUrl + "/j_security_check"); + request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); + request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); + WebResponse response = session.getResponse(request); + + // post the first value + request = new GetMethodWebRequest(baseUrl + "/index.jsp"); + response = session.getResponse(request); + WebForm sessionForm = response.getFormWithID(Constants.HOME_FORM_ID); + sessionForm.setParameter(Constants.HOME_POST_FIELD, POST_VALUE_1); + response = sessionForm.submit(); + + // login again as a different user in the same session + request = new PostMethodWebRequest(baseUrl + "/j_security_check"); + request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME2); + request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD2); + response = session.getResponse(request); + + // post the second value + request = new GetMethodWebRequest(baseUrl + "/index.jsp"); + response = session.getResponse(request); + sessionForm = response.getFormWithID(Constants.HOME_FORM_ID); + sessionForm.setParameter(Constants.HOME_POST_FIELD, POST_VALUE_2); + response = sessionForm.submit(); + + // make sure the response leads us to secure page + assertPageTitle(response, Constants.SECURE_TITLE); + + // ensure that both the first and second POSTed values appear on the secure page + WebForm form = response.getFormWithName(Constants.SECURE_POSTED_VALUE_FORM); + String firstPostedValue = form.getParameterValue(Constants.SECURE_LAST_POSTED_VALUE_FIELD); + assertNull("First POSTed parameter found in response, but it shouldn't be there", firstPostedValue); + String secondPostedValue = form.getParameterValue(Constants.SECURE_POSTED_VALUE_FIELD); + assertNotNull("Second POSTed parameter not found in reponse", secondPostedValue); + assertEquals("Second POSTed parameter did not have the right value", secondPostedValue, POST_VALUE_2); + } +} diff --git a/web/share/securePage.jsp b/web/share/securePage.jsp index 6fcc792..7163626 100644 --- a/web/share/securePage.jsp +++ b/web/share/securePage.jsp @@ -18,12 +18,31 @@ Welcome <%=request.getRemoteUser()%>, you are viewing a secure page. if (postedValue != null) { %>

You POSTed a value from the Home Page!

-The value you posted was: - - - - -
<%=postedValue%>
+
+The value you just posted was: + +<% + String lastPostedValue = (String) session.getAttribute(Constants.SECURE_LAST_POSTED_VALUE_FIELD); + if (lastPostedValue != null) { +%> +The last value you posted in your current session was: + +<% + } + // save the last posted value in the session + session.setAttribute(Constants.SECURE_LAST_POSTED_VALUE_FIELD, postedValue); +%> +
<% } %>