diff --git a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java index dc8b00bb87..6bf56a8663 100644 --- a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java +++ b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java @@ -46,9 +46,8 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism { public static final String LOCATION_ATTRIBUTE = FormAuthenticationMechanism.class.getName() + ".LOCATION"; - public static final String DEFAULT_POST_LOCATION = "/j_security_check"; - + protected static final String ORIGINAL_SESSION_TIMEOUT = "io.undertow.servlet.form.auth.orig.session.timeout";; private final String name; private final String loginPage; private final String errorPage; @@ -56,6 +55,13 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism { private final FormParserFactory formParserFactory; private final IdentityManager identityManager; + /** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ + protected final int authenticationSessionTimeout = 120; + public FormAuthenticationMechanism(final String name, final String loginPage, final String errorPage) { this(FormParserFactory.builder().build(), name, loginPage, errorPage); } @@ -166,6 +172,10 @@ public AuthenticationMechanismOutcome runFormAuth(final HttpServerExchange excha protected void handleRedirectBack(final HttpServerExchange exchange) { final Session session = Sessions.getSession(exchange); if (session != null) { + final Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT); + if (originalSessionTimeout != null) { + session.setMaxInactiveInterval(originalSessionTimeout); + } final String location = (String) session.removeAttribute(LOCATION_ATTRIBUTE); if(location != null) { exchange.addDefaultResponseListener(new DefaultResponseListener() { @@ -208,7 +218,19 @@ public ChallengeResult sendChallenge(final HttpServerExchange exchange, final Se } protected void storeInitialLocation(final HttpServerExchange exchange) { - Session session = Sessions.getOrCreateSession(exchange); + Session session = Sessions.getSession(exchange); + boolean newSession = false; + if (session == null) { + session = Sessions.getOrCreateSession(exchange); + newSession = true; + } + if (newSession) { + int originalMaxInactiveInterval = session.getMaxInactiveInterval(); + if (originalMaxInactiveInterval > authenticationSessionTimeout) { + session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval()); + session.setMaxInactiveInterval(authenticationSessionTimeout); + } + } session.setAttribute(LOCATION_ATTRIBUTE, RedirectBuilder.redirect(exchange, exchange.getRelativePath())); } diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java index 515d231d70..1ad22fa239 100644 --- a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java +++ b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java @@ -32,6 +32,7 @@ import io.undertow.servlet.handlers.ServletRequestContext; import io.undertow.servlet.spec.HttpSessionImpl; import io.undertow.servlet.util.SavedRequest; +import io.undertow.servlet.spec.ServletContextImpl; import io.undertow.util.Headers; import io.undertow.util.RedirectBuilder; @@ -195,13 +196,26 @@ protected void storeInitialLocation(final HttpServerExchange exchange, byte[] by return; } final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); - HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true); + final ServletContextImpl servletContextImpl = servletRequestContext.getCurrentServletContext(); + HttpSessionImpl httpSession = servletContextImpl.getSession(exchange, false); + boolean newSession = false; + if (httpSession == null) { + httpSession = servletContextImpl.getSession(exchange, true); + newSession = true; + } Session session; if (System.getSecurityManager() == null) { session = httpSession.getSession(); } else { session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession)); } + if (newSession) { + int originalMaxInactiveInterval = session.getMaxInactiveInterval(); + if (originalMaxInactiveInterval > authenticationSessionTimeout) { + session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval()); + session.setMaxInactiveInterval(authenticationSessionTimeout); + } + } SessionManager manager = session.getSessionManager(); if (seenSessionManagers.add(manager)) { manager.registerSessionListener(LISTENER); @@ -226,6 +240,10 @@ protected void handleRedirectBack(final HttpServerExchange exchange) { } else { session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession)); } + Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT); + if (originalSessionTimeout != null) { + session.setMaxInactiveInterval(originalSessionTimeout); + } String path = (String) session.getAttribute(SESSION_KEY); if ((path == null || overrideInitial) && defaultPage != null) { path = defaultPage;