fix another problem in session database

3 files changed, 116 insertions, 64 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 34b250bf0..f718777b0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -59,6 +59,7 @@ import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
@@ -107,52 +108,77 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
 	
 	public void performSingleLogOut(HttpServletRequest httpReq,
-	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {
+	HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {
 		performSingleLogOut(httpReq, httpResp, session, pvpReq, null);
 		
 	}
 	
 	public void performSingleLogOut(HttpServletRequest httpReq,
-	HttpServletResponse httpResp, AuthenticationSession session, String authURL) throws MOAIDException {
+	HttpServletResponse httpResp, IAuthenticationSession session, String authURL) throws MOAIDException {
 		performSingleLogOut(httpReq, httpResp, session, null, authURL);
 		
 	}
 	
+	/**
+	 * @param req
+	 * @param resp
+	 * @param moasessionid
+	 */
+	public void performOnlyIDPLogOut(AuthenticationSession authSession) {
+		
+		if (authSession == null) {
+			Logger.info("No internal MOA SSO-Session found. Nothing to destroy");
+			return;
+			
+		}
+		
+		try {
+									
+			authSession.setAuthenticated(false);
+			//HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, null); // remove moa session from HTTP Session
+
+			//log Session_Destroy to reversionslog
+			AuthenticationSessionExtensions sessionExtensions = authenticatedSessionStore.getAuthenticationSessionExtensions(authSession.getSessionID());
+			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId());
+			
+			authenticatedSessionStore.destroyInternalSSOSession(authSession.getSessionID());
+			
+			//session.invalidate();
+		
+		} catch (MOADatabaseException e) {
+			Logger.info("NO MOA Authentication data for ID " + authSession.getSessionID());
+			return;
+		}
+		
+	}
+	
+	
 	public void performOnlyIDPLogOut(HttpServletRequest request,
-			HttpServletResponse response, String moaSessionID) {
+			HttpServletResponse response, String internalMOASsoSessionID) {
 		Logger.info("Remove active user-session");
 
-		if(moaSessionID == null) {
-			moaSessionID = (String) request.getParameter(PARAM_SESSIONID);
+		if(internalMOASsoSessionID == null) {
+			internalMOASsoSessionID = (String) request.getParameter(PARAM_SESSIONID);
 		}
 		
-		if(moaSessionID == null) {
+		if(internalMOASsoSessionID == null) {
 			Logger.info("NO MOA Session to logout");
 			return;
 		}
 		
 		AuthenticationSession authSession;
 		try {
-			authSession = authenticatedSessionStore.getSession(moaSessionID);
+			authSession = authenticatedSessionStore.getInternalSSOSession(internalMOASsoSessionID);
 
 			if(authSession == null) {
-				Logger.info("NO MOA Authentication data for ID " + moaSessionID);
+				Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID);
 				return;
 			}
-			
-			authSession.setAuthenticated(false);
-			//HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, null); // remove moa session from HTTP Session
-
-			//log Session_Destroy to reversionslog
-			AuthenticationSessionExtensions sessionExtensions = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSessionID);
-			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId());
-			
-			authenticatedSessionStore.destroySession(moaSessionID);
-			
-			//session.invalidate();
-		
+						
+			performOnlyIDPLogOut(authSession);
+					
 		} catch (MOADatabaseException e) {
-			Logger.info("NO MOA Authentication data for ID " + moaSessionID);
+			Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID);
 			return;
 		}
 
@@ -200,7 +226,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_INVALID);
 				
-				authenticatedSessionStore.destroySession(correspondingMOASession);
+				//destroy internal SSO-session object and SSO-session cooky
+				authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession);
 				ssoManager.deleteSSOSessionID(httpReq, httpResp);
 			}
 		}
@@ -224,12 +251,11 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		pendingReq.setNeedSingleSignOnFunctionality(isSSOAllowed);
 						
 		//get MOASession from SSO-Cookie if SSO is allowed
-		AuthenticationSession moaSession = null;
+		AuthenticationSession ssoMOASession = null;
 		if (isValidSSOSession && isSSOAllowed) {
-			String moasessionID = ssoManager.getMOASession(ssoId);
-			moaSession = authenticatedSessionStore.getSession(moasessionID);
+			ssoMOASession = ssoManager.getInternalMOASession(ssoId);
 			
-			if (moaSession == null)
+			if (ssoMOASession == null)
 				Logger.info("No MOASession FOUND with provided SSO-Cookie.");
 			
 			else {
@@ -240,8 +266,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		}
 						
 		//check if session is already authenticated
-		boolean isSessionAuthenticated = tryPerformAuthentication((RequestImpl) pendingReq, moaSession);
-				
+		boolean isSessionAuthenticated = tryPerformAuthentication((RequestImpl) pendingReq, ssoMOASession);
+
 		//force new authentication authentication process
 		if (pendingReq.forceAuth()) {	
 			startAuthenticationProcess(httpReq, httpResp, pendingReq);
@@ -256,7 +282,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			if (isSessionAuthenticated) {
 				// Passive authentication ok!
 				revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED);
-				return moaSession;
+				return ssoMOASession;
 				
 			} else {				
 				throw new NoPassivAuthenticationException();
@@ -267,7 +293,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 				// Is authenticated .. proceed
 				revisionsLogger.logEvent(oaParam, 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED);
-				return moaSession;
+				return ssoMOASession;
 				
 			} else {
 				// Start authentication!
@@ -286,29 +312,30 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	 * @return true if session is already authenticated, otherwise false
 	 * @throws MOAIDException 
 	 */
-	private boolean tryPerformAuthentication(RequestImpl protocolRequest, AuthenticationSession moaSession) {
+	private boolean tryPerformAuthentication(RequestImpl protocolRequest, AuthenticationSession ssoMOASession) {
 
 		//if no MOASession exist -> authentication is required
-		if (moaSession == null) {
+		if (ssoMOASession == null) {
 			return false;
 			
 		} else {
-			//if MOASession is Found but not authenticated --> authentication is required
-			if (!moaSession.isAuthenticated()) {
+			//if MOA SSO-Session is found but not authenticated --> authentication is required
+			if (!ssoMOASession.isAuthenticated()) {
 				return false;
 			}
 			
 			//if MOASession is already authenticated and protocol-request is authenticated 
 			//  --> no authentication is required any more
-			else if (moaSession.isAuthenticated() && protocolRequest.isAuthenticated()) {
+			else if (ssoMOASession.isAuthenticated() && protocolRequest.isAuthenticated()) {
+				protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID());
 				return true;
 
 			// if MOASession is authenticated and SSO is allowed --> authenticate pendingRequest
 			} else if (!protocolRequest.isAuthenticated() 
-					&& moaSession.isAuthenticated() && protocolRequest.needSingleSignOnFunctionality()) {
+					&& ssoMOASession.isAuthenticated() && protocolRequest.needSingleSignOnFunctionality()) {
 				Logger.debug("Found active MOASession and SSO is allowed --> pendingRequest is authenticted");
 				protocolRequest.setAuthenticated(true);
-				protocolRequest.setMOASessionIdentifier(moaSession.getSessionID());
+				protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID());
 				return true;
 				
 			}
@@ -336,19 +363,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 
 		//check legacy request parameter 
 		boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq);
-		
-		//create MOASession object
-		AuthenticationSession moasession;
-		try {
-			moasession = authenticatedSessionStore.createSession(pendingReq);
-			pendingReq.setMOASessionIdentifier(moasession.getSessionID());
-			
-		} catch (MOADatabaseException e1) {
-			Logger.error("Database Error! MOASession can not be created!");
-			throw new MOAIDException("init.04", new Object[] {});
-			
-		}
-		
+				
 		//create authentication process execution context
 		ExecutionContext executionContext = new ExecutionContextImpl();
 		
@@ -441,7 +456,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	}
 	
 	private void performSingleLogOut(HttpServletRequest httpReq,
-	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException {		
+	HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException {		
 		String pvpSLOIssuer = null;
 		String inboundRelayState = null;
 		String uniqueSessionIdentifier = "notSet";
@@ -491,7 +506,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		
 		//terminate MOASession
 		try {			
-			authenticatedSessionStore.destroySession(session.getSessionID());
+			authenticatedSessionStore.destroyInternalSSOSession(session.getSessionID());
 			ssoManager.deleteSSOSessionID(httpReq, httpResp);
 			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, uniqueSessionIdentifier);
 
@@ -663,4 +678,5 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			e.printStackTrace();
 		}				
 	}
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index ffc6012c9..b612352c6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -26,6 +26,7 @@ import java.io.Serializable;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -35,10 +36,14 @@ import javax.servlet.http.HttpServletRequest;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
 import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.AuthProzessDataConstants;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
@@ -67,8 +72,8 @@ public abstract class RequestImpl implements IRequest, Serializable{
 	private String action = null;
 	
 	private String requestID;
-	private String moaSessionIdentifier;
 	private String processInstanceId;
+	private String ssoMoaSessionId;
 	
 	private String uniqueTransactionIdentifer;
 	private String uniqueSessionIdentifer;
@@ -91,6 +96,8 @@ public abstract class RequestImpl implements IRequest, Serializable{
 		
 	private Map<String, Object> genericDataStorage = new HashMap<String, Object>();
 	
+	private IAuthenticationSession moaSSOSessionContainer = null;
+	
 	 	
 	/**
 	 * @throws ConfigurationException 
@@ -99,11 +106,14 @@ public abstract class RequestImpl implements IRequest, Serializable{
 	public final void initialize(HttpServletRequest req) throws ConfigurationException {				
 		//set requestID
 		requestID = Random.nextLongRandom();
-		
+				
 		//set unique transaction identifier for logging
 		uniqueTransactionIdentifer = Random.nextLongRandom();		
 		TransactionIDUtils.setTransactionId(uniqueTransactionIdentifer);
 		
+		//initialize session object
+		genericDataStorage.put(AuthProzessDataConstants.VALUE_CREATED, new Date());
+		genericDataStorage.put(AuthProzessDataConstants.VALUE_SESSIONID, Random.nextLongRandom());
 		
 		//check if End-Point is valid		
 		String authURLString = HTTPUtils.extractAuthURLFromRequest(req);
@@ -247,16 +257,41 @@ public abstract class RequestImpl implements IRequest, Serializable{
 		return requestID;
 	}
 	
-	public String getMOASessionIdentifier() {
-		return this.moaSessionIdentifier;
+	public String getInternalSSOSessionIdentifier() {
+		return this.ssoMoaSessionId;
+	}
+	
+	/**
+	 * Set the internal SSO session identifier, which associated with this pending request
+	 * 
+	 * @param internalSSOSessionId 
+	 */
+	public void setInternalSSOSessionIdentifier(String internalSSOSessionId) {
+		this.ssoMoaSessionId = internalSSOSessionId;
 		
 	}
 	
-	public void setMOASessionIdentifier(String moaSessionIdentifier) {
-		this.moaSessionIdentifier = moaSessionIdentifier;
+	public IAuthenticationSession getMOASession() {
+		//if SSO session information are set, use this
+		if (moaSSOSessionContainer != null)
+			return moaSSOSessionContainer;
 		
+		else
+			return new AuthenticationSessionWrapper(genericDataStorage);
+				
 	}
 	
+	public void populateMOASessionWithSSOInformation(IAuthenticationSession ssoSession) {
+		if (ssoSession instanceof AuthenticationSession) {
+			moaSSOSessionContainer = ssoSession;
+						
+		} else 
+			throw new IllegalStateException("Session information can only be populated with SSO information from database");
+		
+		
+	}
+	
+	
 	public IOAAuthParameters getOnlineApplicationConfiguration() {
 		return this.OAConfiguration;
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index c27012ba9..557d9af48 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -157,7 +158,7 @@ public class SSOManager {
 					} else {
 						Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ...");
 						try {
-							authenticatedSessionStore.destroySession(storedSession.getSessionid());
+							authenticatedSessionStore.destroyInternalSSOSession(storedSession.getSessionid());
 							
 						} catch (MOADatabaseException e) {
 							Logger.error("Delete MOASession with ID:" + storedSession.getSessionid() + " FAILED!" , e);
@@ -175,8 +176,8 @@ public class SSOManager {
 		
 	}
 	
-	public String getMOASession(String ssoSessionID) {
-		return authenticatedSessionStore.getMOASessionSSOID(ssoSessionID);
+	public AuthenticationSession getInternalMOASession(String ssoSessionID) throws MOADatabaseException {
+		return authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID);
 		
 	}
 	
@@ -184,9 +185,9 @@ public class SSOManager {
 	public String getUniqueSessionIdentifier(String ssoSessionID) {
 		try {
 			if (MiscUtil.isNotEmpty(ssoSessionID)) {			
-				String moaSessionID = authenticatedSessionStore.getMOASessionSSOID(ssoSessionID);
-				if (MiscUtil.isNotEmpty(moaSessionID)) {
-					AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSessionID);
+				AuthenticationSession moaSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID);
+				if (moaSession != null) {
+					AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSessionID());
 						return extSessionInformation.getUniqueSessionId();
 			
 				}