Merge pull request #7111 from GlobalDataverseCommunityConsortium/IQSS/3254

kcondon · web-flow · commit 78527a291e35 · 2020-07-31T11:25:53.000-04:00
adding support for changing sessionId at login
diff --git a/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java b/src/main/java/edu/harvard/iq/dataverse/DataverseSession.java
@@ -6,6 +6,7 @@
 import edu.harvard.iq.dataverse.actionlogging.ActionLogServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.util.SessionUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.io.IOException;
 import java.io.Serializable;
@@ -61,7 +62,8 @@ public void setUser(User aUser) {
         logSvc.log( 
                 new ActionLogRecord(ActionLogRecord.ActionType.SessionManagement,(aUser==null) ? "logout" : "login")
                     .setUserIdentifier((aUser!=null) ? aUser.getIdentifier() : (user!=null ? user.getIdentifier() : "") ));
-        
+        //#3254 - change session id when user changes
+        SessionUtil.changeSessionId((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest());
         this.user = aUser;
     }
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/LoginPage.java b/src/main/java/edu/harvard/iq/dataverse/LoginPage.java
@@ -13,6 +13,8 @@
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.JsfHelper;
+import edu.harvard.iq.dataverse.util.SessionUtil;
+
 import static edu.harvard.iq.dataverse.util.JsfHelper.JH;
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.io.UnsupportedEncodingException;
@@ -29,6 +31,7 @@
 import javax.faces.view.ViewScoped;
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 
 /**
  *
@@ -169,7 +172,6 @@ public String login() {
             logger.log(Level.FINE, "User authenticated: {0}", r.getEmail());
             session.setUser(r);
             session.configureSessionTimeout();
-            
             if ("dataverse.xhtml".equals(redirectPage)) {
                 redirectPage = redirectToRoot();
             }
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/SessionUtil.java b/src/main/java/edu/harvard/iq/dataverse/util/SessionUtil.java
@@ -0,0 +1,32 @@
+package edu.harvard.iq.dataverse.util;
+
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map.Entry;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+public class SessionUtil {
+
+    /**
+	 * Changes the session id (jsessionId) - for use when the session's authority increases (i.e. at login)
+	 * Servlet 3.1 Note: This method is needed while using Servlets 2.0. 3.1 has a HttpServletRequest.chageSessionId(); method that can be used instead.
+	 * 
+	 * @param h the current HttpServletRequest
+     * e.g. for pages you can get this from (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
+     */
+    public static void changeSessionId(HttpServletRequest h) {
+        HttpSession session = h.getSession(false);
+        HashMap<String, Object> sessionAttributes = new HashMap<String,Object>();
+        for(Enumeration<String> e = session.getAttributeNames();e.hasMoreElements();) {
+        	String name = e.nextElement();
+        	sessionAttributes.put(name, session.getAttribute(name));
+        }
+        h.getSession().invalidate();
+        session = h.getSession(true);
+        for(Entry<String, Object> entry: sessionAttributes.entrySet()) {
+        	session.setAttribute(entry.getKey(), entry.getValue());
+        }
+    }
+}
