From 7008b0cb31761563c268ebcb53b13e32333fd931 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 11 Sep 2014 07:51:25 +0200 Subject: add exact timeout validation for SSO sessions --- .../id/auth/servlet/IDPSingleLogOutServlet.java | 33 +++++++++++----------- .../gv/egovernment/moa/id/moduls/SSOManager.java | 16 +++++++++-- 2 files changed, 30 insertions(+), 19 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index a7ec4dcb6..c08d77f12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -97,32 +97,31 @@ public class IDPSingleLogOutServlet extends AuthServlet { return; - } else if (MiscUtil.isNotEmpty(ssoid)) { - if (ssomanager.isValidSSOSession(ssoid, null)) { + } else if (MiscUtil.isNotEmpty(ssoid)) { + try { + if (ssomanager.isValidSSOSession(ssoid, null)) { - AuthenticationManager authmanager = AuthenticationManager.getInstance(); - String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); + AuthenticationManager authmanager = AuthenticationManager.getInstance(); + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); - if (MiscUtil.isNotEmpty(moaSessionID)) { - AuthenticationSession authSession; - try { - authSession = AuthenticationSessionStoreage + if (MiscUtil.isNotEmpty(moaSessionID)) { + AuthenticationSession authSession = AuthenticationSessionStoreage .getSession(moaSessionID); if(authSession != null) { authmanager.performSingleLogOut(req, resp, authSession, null); return; } - - } catch (MOADatabaseException e) { - //TODO: insert error Handling - - } catch (MOAIDException e) { - // TODO Auto-generated catch block - e.printStackTrace(); } - } - } + } + } catch (MOADatabaseException e) { + //TODO: insert error Handling + e.printStackTrace(); + + } catch (MOAIDException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } else if (restartProcessObj != null && restartProcessObj instanceof String) { String restartProcess = (String) restartProcessObj; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index ca3117a79..ff294dc3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,6 +31,7 @@ import java.io.InputStreamReader; import java.io.Reader; import java.io.StringWriter; import java.net.URI; +import java.util.Date; import java.util.List; import javax.servlet.http.Cookie; @@ -132,7 +133,7 @@ public class SSOManager { } - public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException { // search SSO Session if (ssoSessionID == null) { @@ -144,8 +145,19 @@ public class SSOManager { if (storedSession == null) return false; - + else { + + //check if session is out of lifetime + Date now = new Date(); + long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000; + Date ssoSessionValidTo = new Date(storedSession.getCreated().getTime() + maxSSOSessionTime); + if (now.after(ssoSessionValidTo)) { + Logger.info("Found outdated SSO session information. Start reauthentication process ... "); + return false; + } + + //check if request starts an interfederated SSO session if (protocolRequest != null && protocolRequest instanceof RequestImpl && storedSession.isInterfederatedSSOSession() && -- cgit v1.2.3