modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java | 24 +++++++--- 1 file changed, 17 insertions(+), 7 deletions(-)
New commits: commit 67a558f849f8f95067f89c230bb0c430053bc63d Author: Simeon Pinder spinder@redhat.com Date: Thu Mar 10 14:06:47 2011 -0500
BZ-682755: change code to eliminate race condition during ldap reg & case insensitive logins
diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java index 3c5cc9e..5d8ea27 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java @@ -107,7 +107,7 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe @EJB @IgnoreDependency private RepoManagerLocal repoManager; - + private SessionManager sessionManager = SessionManager.getInstance();
/** @@ -369,7 +369,7 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe Properties config = systemManager.getSystemConfiguration(getOverlord());
_checkAuthentication(username, password); - + // User is authenticated!
Subject subject = getSubjectByName(username); @@ -423,12 +423,12 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe public Subject checkAuthentication(String username, String password) { try { _checkAuthentication(username, password); - return getSubjectByName(username); + return getSubjectByName(username); } catch (LoginException e) { return null; } } - + private void _checkAuthentication(String username, String password) throws LoginException { try { UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password.toCharArray()); @@ -442,7 +442,7 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe throw new LoginException(e.getMessage()); } } - + /**This method is applied to Subject instances that may require LDAP auth/authz processing. * Called from both SLSB and SubjectGWTServiceImpl and: * -if Subject passed in has Principal(not LDAP account) then we immediately return Subject as no processing needed. @@ -474,7 +474,17 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe
if (ldapConfigured) {//we can proceed with LDAP checking //check that session is valid. RHQ auth has already occurred. Security check required to initiate following - if (!isValidSessionId(subject.getSessionId(), subject.getName(), subject.getId())) { + //spinder BZ:682755: 3/10/11: can't use isValidSessionId() as it also compares subject.id which is changing during case insensitive + // and new registration. This worked before because HTTP get took longer to invalidate sessions. + Subject sessionSubject = null; + try { + sessionSubject = sessionManager.getSubject(subject.getSessionId()); + } catch (SessionNotFoundException e) { + throw new LoginException("User session not valid. Login to proceed."); + } catch (SessionTimeoutException e) { + throw new LoginException("User session not valid. Login to proceed."); + } + if (!subject.getName().equals(sessionSubject.getName())) { throw new LoginException("User session not valid. Login to proceed."); }
@@ -760,7 +770,7 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe
alertNotificationManager.cleanseAlertNotificationBySubject(doomedSubject.getId()); repoManager.removeOwnershipOfSubject(doomedSubject.getId()); - + entityManager.remove(doomedSubject);
return;