Example usage for javax.servlet.http HttpServletRequest logout

List of usage examples for javax.servlet.http HttpServletRequest logout

Introduction

In this page you can find the example usage for javax.servlet.http HttpServletRequest logout.

Prototype

public void logout() throws ServletException;

Source Link

Document

Establish null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request.

Usage

From source file:com.castlemock.war.config.SecurityInterceptor.java

/**
 * The method will check if the logged in user is still valid.
 * @param request The incoming request.//from w w  w  .ja  v  a2  s .  c  om
 * @param response The outgoing response
 * @param handler The handler contains information about the method and controller that will process the incoming request
 * @return Returns true if the logged in users information is still valid. Returns false if the user is not valid
 * @throws IOException Upon unable to send a redirect as a response
 * @throws ServletException Upon unable to logout the user
 */
@Override
public boolean preHandle(final HttpServletRequest request, final HttpServletResponse response,
        final Object handler) throws IOException, ServletException {
    final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication == null || !authentication.isAuthenticated()) {
        return true;
    }

    final String loggedInUsername = authentication.getName();
    if (ANONYMOUS_USER.equals(loggedInUsername)) {
        return true;
    }

    final ReadUserByUsernameInput readUserByUsernameInput = new ReadUserByUsernameInput(loggedInUsername);
    final ReadUserByUsernameOutput readUserByUsernameOutput = serviceProcessor.process(readUserByUsernameInput);
    final UserDto loggedInUser = readUserByUsernameOutput.getUser();
    if (loggedInUser == null) {
        LOGGER.info("The following logged in user is not valid anymore: " + loggedInUsername);
        request.logout();
        response.sendRedirect(request.getContextPath());
        return false;
    } else if (!Status.ACTIVE.equals(loggedInUser.getStatus())) {
        LOGGER.info("The following logged in user is not active anymore: " + loggedInUsername);
        request.logout();
        response.sendRedirect(request.getContextPath());
        return false;
    } else {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            Role role = Role.valueOf(grantedAuthority.getAuthority());
            if (!loggedInUser.getRole().equals(role)) {
                LOGGER.info("The following logged in user's authorities has been updated: " + loggedInUsername);
                final UserDetails userDetails = userDetailSecurityService.loadUserByUsername(loggedInUsername);
                final Authentication newAuthentication = new UsernamePasswordAuthenticationToken(userDetails,
                        userDetails.getPassword(), userDetails.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(newAuthentication);
            }
        }
        return true;
    }
}

From source file:photosharing.api.bss.LogoutDefinition.java

/** 
 * redirects the user to the logout SSO to destroy the login tokens and login sessions
 * //w  ww  .  j  ava2s  . com
 * @see photosharing.api.conx.APIDefinition#run(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
 */
public void run(HttpServletRequest request, HttpServletResponse response) {
    Configuration config = Configuration.getInstance(request);
    String api = config.getValue(Configuration.BASEURL) + apiUrl;
    try {
        //Invalidating photosharing session on the AppServer and IBM Connections Cloud
        HttpSession session = request.getSession(false);

        if (session != null) {
            logger.info(session.getId() + " is being logged out");

            Request get = Request.Get(api);

            try {
                Executor exec = ExecutorUtil.getExecutor();
                Response apiResponse = exec.execute(get);
                HttpResponse hr = apiResponse.returnResponse();

                /**
                 * Check the status codes and if 200, convert to String
                 */
                int code = hr.getStatusLine().getStatusCode();
                if (code == HttpStatus.SC_OK) {

                } else {
                    logger.log(Level.SEVERE, "Exception Encountered with IBM Connections Cloud Session");
                }

            } catch (IOException e) {
                //Catches Exception Related to a Request
                logger.log(Level.SEVERE, "Exception Encountered");
                response.setHeader("X-Application-Error", className);
                response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
            }

            //Indvalidates the User's current session and logs them out
            session.invalidate();
            request.logout();

            //Sets the Status to SC_OK (Http Status Code 200) to indicate a successful logout
            response.setStatus(HttpStatus.SC_NO_CONTENT);
        } else {
            //Something bad has happened
            logger.log(Level.SEVERE, "Invalid Request");
            response.setStatus(HttpStatus.SC_BAD_REQUEST);
        }

    } catch (Exception e) {
        logger.log(Level.SEVERE, "Exception Encountered - " + e.toString());

        //Sets the Status to SC_INTERNAL_SERVER_ERROR (Http Status Code 500)
        //Indicates an issue with the Server
        response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);

    }
}

From source file:de.hska.ld.oidc.controller.OIDCController.java

@RequestMapping(method = RequestMethod.POST, value = "/document")
@Transactional(readOnly = false, rollbackFor = RuntimeException.class)
public Document createDocument(HttpServletRequest request, @RequestBody Document document,
        @RequestParam(defaultValue = "https://api.learning-layers.eu/o/oauth2") String issuer,
        @RequestHeader(required = false) String Authorization,
        @RequestParam(required = false) String discussionId, @RequestParam(required = false) String episodeId)
        throws IOException, ServletException {

    _authenticate(request, issuer, Authorization);

    // 3. Create the document in the database
    Document newDocument = documentService.save(document);
    if (document.getDescription() != null) {
        Attachment mainAttachment = newDocument.getAttachmentList().get(0);
        mainAttachment.setSource(document.getDescription().getBytes());
        //document.setDescription("");
        documentService.save(newDocument);

        if (episodeId != null) {
            DocumentSSSInfo documentSSSInfo = new DocumentSSSInfo();
            documentSSSInfo.setDocument(newDocument);
            documentSSSInfo.setEpisodeId(episodeId);
            documentSSSInfoService.addDocumentInfo(documentSSSInfo);
        }// w  ww  . j  a  v a 2  s .  co m
    }

    // 4. Create the document in the SSS together with the link to the discussion
    // 4.1 Authenticate with the SSS
    // SSS auth Endpoint: http://test-ll.know-center.tugraz.at/layers.test/auth/auth/
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    //if (auth instanceof AnonymousAuthenticationToken) {
    OIDCAuthenticationToken token = (OIDCAuthenticationToken) auth;
    SSSAuthDto sssAuthDto = null;
    try {
        sssAuthDto = sssClient.authenticate(token.getAccessTokenValue());
    } catch (UserNotAuthorizedException e) {
        request.logout();
        e.printStackTrace();
        throw new UnauthorizedClientException("oidc token invalid");
    }

    // 4.2 Create the according SSSLivingdocs entity
    try {
        SSSLivingdocsResponseDto sssLivingdocsResponseDto = sssClient.createDocument(document, discussionId,
                token.getAccessTokenValue());
    } catch (AuthenticationNotValidException eAuth) {
        throw new UserNotAuthorizedException();
    }

    // 4.3 Retrieve the list of email addresses that have access to the livingdocument in the SSS
    // TODO retrieve email addresses

    return newDocument;
    /*} else {
    throw new UnauthorizedClientException("anonymous user session");
    }*/
}

From source file:com.example.AzureADAuthenticationFilter.java

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
        FilterChain filterChain) throws ServletException, IOException {
    try {/*from w  w w . j av  a 2 s. co  m*/

        String currentUri = AuthHelper.getCurrentUri(request);

        // Check if current session contains user authentication info.
        if (!AuthHelper.isAuthenticated(request)) {

            if (log.isTraceEnabled()) {
                log.trace("AuthHelper.isAuthenticated = false");
            }

            if (AuthHelper.containsAuthenticationData(request)) {
                // The request contains authentication data, which means this request is returned from AzureAD login page
                // after authentication process is completed.  The result should have been processed by AzureADResponseFilter.
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("AuthHelper.containsAuthenticationData = false");
                }

                // when not authenticated and request does not contains authentication data (not come from Azure AD login process),
                // redirect to Azure login page.

                // get csrf token
                CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
                if (log.isDebugEnabled()) {
                    log.debug("Current csrf token before going to AzureAD login {} {} = {}",
                            token.getHeaderName(), token.getParameterName(), token.getToken());
                }

                // add the csrf token to login request and go login...
                response.setStatus(302);
                String redirectTo = getRedirectUrl(currentUri) + "&state=" + token.getToken();

                if (log.isDebugEnabled()) {
                    log.debug("302 redirect to " + redirectTo);
                }
                response.sendRedirect(redirectTo);
                return;
            }
        } else {
            if (log.isTraceEnabled()) {
                log.trace("AuthHelper.isAuthenticated = true");
            }

            // if authenticated, how to check for valid session?
            AuthenticationResult result = AuthHelper.getAuthSessionObject(request);

            if (request.getParameter("refresh") != null) {
                result = getAccessTokenFromRefreshToken(result.getRefreshToken(), currentUri);
            } else {
                if (request.getParameter("cc") != null) {
                    result = getAccessTokenFromClientCredentials();
                } else {
                    if (result.getExpiresOnDate().before(new Date())) {
                        result = getAccessTokenFromRefreshToken(result.getRefreshToken(), currentUri);
                    }
                }
            }

            AuthHelper.setAuthSessionObject(request, result);

            // Handle logout
            if (logout.equals(request.getRequestURI())) {
                if (log.isTraceEnabled()) {
                    log.trace("Logout...");
                }

                // Clear spring security context so spring thinks this user is gone.
                request.logout();
                SecurityContextHolder.clearContext();

                // Clear Azure principal
                AuthHelper.remoteAuthSessionObject(request);

                // Go to AzureAD and logout.
                response.setStatus(302);
                String logoutPage = "https://login.windows.net/" + tenant + "/oauth2/logout";
                if (log.isDebugEnabled()) {
                    log.debug("302 redirect to " + logoutPage);
                }

                response.sendRedirect(logoutPage);
                return;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("URI: " + request.getRequestURI() + " does not match " + logout
                            + ".  It is not a logout request");
                }
            }
        }
    } catch (Throwable exc) {
        response.setStatus(500);
        request.setAttribute("error", exc.getMessage());
        response.sendRedirect(((HttpServletRequest) request).getContextPath() + error);
    }

    filterChain.doFilter(request, response);
}

From source file:org.shareok.data.webserv.filters.UserSessionFilter.java

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    try {/*w w  w  .  j  ava  2s. com*/
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String contextPath = httpRequest.getServletPath();
        if (contextPath.contains("/")) {
            contextPath = contextPath.split("/")[1];
        } //.getContextPath();
        if (null != contextPath && !"".equals(contextPath)
                && ShareokdataManager.requiredUserAuthentication(contextPath)) {
            SessionRepository<Session> repo = (SessionRepository<Session>) httpRequest
                    .getAttribute(SessionRepository.class.getName());

            if (contextPath.equals("register")) {
                String email = (String) httpRequest.getParameter("email");
                String password = (String) httpRequest.getParameter("password");
                String userName = (String) httpRequest.getParameter("nickname");
                if (null == email || "".equals(email)) {
                    throw new UserRegisterInfoNotFoundException(
                            "Valid email register information is required!");
                }
                if (null == password || "".equals(password)) {
                    throw new UserRegisterInfoNotFoundException("Valid password is required for registration!");
                }
                /*****************
                 * Some password validation logic here:
                 */
                ExpiringSession session = (ExpiringSession) repo.createSession();
                session.setMaxInactiveIntervalInSeconds(600);
                String sessionId = session.getId();
                RedisUser user = redisUserService.findUserByUserEmail(email);
                if (null != user && password.equals(user.getPassword())) {
                    session.setAttribute(ShareokdataManager.getSessionRedisUserAttributeName(), user);
                    user.setSessionKey(sessionId);
                    user.setUserName(userName);
                    redisUserService.updateUser(user);
                } else if (null == user) {
                    ApplicationContext context = new ClassPathXmlApplicationContext("redisContext.xml");
                    user = (RedisUser) context.getBean("redisUser");

                    user.setEmail(email);
                    user.setPassword(password);
                    user.setSessionKey(sessionId);
                    redisUserService.addUser(user);
                } else if (null != user && !password.equals(user.getPassword())) {
                    throw new UserRegisterInfoNotFoundException(
                            "Your login information does not match our records!`");
                }

                session.setAttribute(ShareokdataManager.getSessionRedisUserAttributeName(), user);
                repo.save(session);
                chain.doFilter(request, response);
                //                    HttpServletResponse httpReponse = (HttpServletResponse)response;
                //                    httpReponse.sendRedirect("/webserv/home");
            } else {
                boolean sessionValidated = false;
                HttpSession session = (HttpSession) httpRequest.getSession(false);
                if (null != session) {
                    ExpiringSession exSession = (ExpiringSession) repo.getSession(session.getId());
                    if (null != exSession) {
                        RedisUser user = (RedisUser) session
                                .getAttribute(ShareokdataManager.getSessionRedisUserAttributeName());
                        if (null != user) {
                            RedisUser userPersisted = redisUserService.findAuthenticatedUser(user.getEmail(),
                                    session.getId());
                            if (null != userPersisted) {
                                sessionValidated = true;
                            }
                        }
                    }
                }

                if (!sessionValidated) {
                    if (null != session) {
                        repo.delete(session.getId());
                        session.setAttribute(ShareokdataManager.getSessionRedisUserAttributeName(), null);
                        session.invalidate();
                    }
                    httpRequest.logout();
                    //request.getRequestDispatcher("/WEB-INF/jsp/logout.jsp").forward(request, response);
                    HttpServletResponse httpReponse = (HttpServletResponse) response;
                    httpReponse.sendRedirect("/webserv/login");
                } else {
                    chain.doFilter(request, response);
                }
            }
        } else {
            chain.doFilter(request, response);
        }
    } catch (IOException ex) {
        request.setAttribute("errorMessage", ex);
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (ServletException ex) {
        request.setAttribute("errorMessage", ex);
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (UserRegisterInfoNotFoundException ex) {
        request.setAttribute("errorMessage", ex);
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    }

}

From source file:org.shareok.data.webserv.UserSessionInterceptor.java

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
        throws Exception {

    try {//from   w  w w. ja  v a2 s .  c  o  m
        String contextPath = request.getServletPath();
        if (contextPath.contains("/")) {
            contextPath = contextPath.split("/")[1];
        }
        if (null != contextPath && !"".equals(contextPath)
                && ShareokdataManager.requiredUserAuthentication(contextPath)) {
            SessionRepository<Session> repo = (SessionRepository<Session>) request
                    .getAttribute(SessionRepository.class.getName());

            if (contextPath.equals("register")) {
                if (!configService.getRegistrationConfig()) {
                    throw new NoNewUserRegistrationException("The registraion of new users has been closed!");
                }
                String email = (String) request.getParameter("email");
                String password = pwAuthenService.hash((String) request.getParameter("password"));
                String userName = (String) request.getParameter("nickname");
                if (null == email || "".equals(email)) {
                    throw new UserRegisterInfoNotFoundException(
                            "Valid email register information is required!");
                }
                if (null == password || "".equals(password)) {
                    throw new UserRegisterInfoNotFoundException("Valid password is required for registration!");
                }
                /*****************
                 * Some password validation logic here:
                 */
                HttpSession httpSession = (HttpSession) request.getSession();
                ExpiringSession session = (ExpiringSession) repo.getSession(httpSession.getId());
                if (null == session) {
                    session = (ExpiringSession) repo.createSession();
                }
                String sessionId = session.getId();
                RedisUser user = redisUserService.findUserByUserEmail(email);
                if (null != user) {
                    throw new RegisterUserInfoExistedException("User Email has already Existed!");
                } else {
                    user = redisUserService.getNewUser();
                    user.setEmail(email);
                    user.setPassword(password);
                    if (null == userName || userName.equals("")) {
                        userName = email;
                    }
                    user.setUserName(userName);
                    user.setSessionKey(sessionId);
                    redisUserService.addUser(user);
                }

                setSessionUserInfo(session, httpSession, user);
                repo.save(session);
            } else if (contextPath.equals("userLogin")) {
                String email = (String) request.getParameter("email");
                String password = (String) request.getParameter("password");
                if (null == email || "".equals(email)) {
                    throw new UserRegisterInfoNotFoundException(
                            "Valid email information is required for logging in!");
                }
                if (null == password || "".equals(password)) {
                    throw new UserRegisterInfoNotFoundException("Valid password is required for logging in!");
                }
                /*****************
                 * Some password validation logic here:
                 */
                HttpSession httpSession = (HttpSession) request.getSession();
                ExpiringSession session = (ExpiringSession) repo.getSession(httpSession.getId());
                if (null == session || session.isExpired()) {
                    session = (ExpiringSession) repo.createSession();
                }
                String sessionId = session.getId();
                RedisUser user = redisUserService.findUserByUserEmail(email);

                if (null == user || !pwAuthenService.authenticate(password, user.getPassword())) {
                    throw new UserRegisterInfoNotFoundException("User information cannot be found!");
                }

                user.setSessionKey(sessionId);
                redisUserService.updateUser(user);

                setSessionUserInfo(session, httpSession, user);
                httpSession.setAttribute("email", email);
                repo.save(session);
            } else if (contextPath.equals("logout")) {
                HttpSession session = (HttpSession) request.getSession(false);
                if (null != session) {
                    ExpiringSession exSession = (ExpiringSession) repo.getSession(session.getId());
                    if (null != exSession) {
                        String email = (String) session.getAttribute("email");
                        if (null != email) {
                            redisUserService.invalidateUserSessionIdByEmail(email);
                        }
                        exSession.isExpired();
                        repo.delete(exSession.getId());
                    }
                    session.invalidate();
                }
            }
            // *** The following situation applies to authentication logic based on session information ***
            else {
                boolean sessionValidated = false;
                HttpSession session = (HttpSession) request.getSession(false);
                if (null != session) {
                    ExpiringSession exSession = (ExpiringSession) repo.getSession(session.getId());
                    if (null != exSession && !exSession.isExpired()) {
                        String email = (String) session.getAttribute("email");
                        if (null != email) {
                            RedisUser userPersisted = redisUserService.findAuthenticatedUser(email,
                                    session.getId());
                            if (null != userPersisted) {
                                sessionValidated = true;
                            }
                        }
                    }
                }

                if (!sessionValidated) {
                    if (null != session) {
                        repo.delete(session.getId());
                        session.setAttribute(ShareokdataManager.getSessionRedisUserAttributeName(), null);
                        session.invalidate();
                    }
                    request.logout();
                    //request.getRequestDispatcher("/WEB-INF/jsp/logout.jsp").forward(request, response);
                    HttpServletResponse httpReponse = (HttpServletResponse) response;
                    httpReponse.sendRedirect("/webserv/login");
                }
            }
        } else {
            ;
        }
    } catch (IOException ex) {
        request.setAttribute("errorMessage", ex.getMessage());
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (ServletException ex) {
        request.setAttribute("errorMessage", ex.getMessage());
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (UserRegisterInfoNotFoundException ex) {
        request.setAttribute("errorMessage", ex.getMessage());
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (RegisterUserInfoExistedException ex) {
        request.setAttribute("errorMessage", ex.getMessage());
        request.getRequestDispatcher("/WEB-INF/jsp/userError.jsp").forward(request, response);
    } catch (NoNewUserRegistrationException ex) {
        request.setAttribute("errorMessage", ex.getMessage());
        request.getRequestDispatcher("/WEB-INF/jsp/closedRegistration.jsp").forward(request, response);
    }

    return true;
}

From source file:org.jasig.cas.client.session.SingleSignOutHandler.java

/**
 * Destroys the current HTTP session for the given CAS logout request.
 *
 * @param request HTTP request containing a CAS logout message.
 *//*from w  w w.j a v  a 2  s  . c om*/
private void destroySession(final HttpServletRequest request) {
    final String logoutMessage;
    // front channel logout -> the message needs to be base64 decoded + decompressed
    if (isFrontChannelLogoutRequest(request)) {
        logoutMessage = uncompressLogoutMessage(
                CommonUtils.safeGetParameter(request, this.frontLogoutParameterName));
    } else {
        logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters);
    }
    logger.trace("Logout request:\n{}", logoutMessage);

    final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");
    if (CommonUtils.isNotBlank(token)) {
        final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);

        if (session != null) {
            String sessionID = session.getId();

            logger.debug("Invalidating session [{}] for token [{}]", sessionID, token);

            try {
                session.invalidate();
            } catch (final IllegalStateException e) {
                logger.debug("Error invalidating session.", e);
            }
            try {
                request.logout();
            } catch (final ServletException e) {
                logger.debug("Error performing request.logout.");
            }
        }
    }
}

From source file:org.structr.core.auth.AuthHelper.java

public static void doLogout(final HttpServletRequest request, final Principal user) throws FrameworkException {

    final HttpSession session = request.getSession(false);

    // We need a session to logout a user
    if (session != null) {

        AuthHelper.clearSession(session.getId());
        user.removeSessionId(session.getId());

        Actions.call(Actions.NOTIFICATION_LOGOUT, user);

        try {/*w  w w  .j  a  v a2s  .c o m*/
            request.logout();
            request.changeSessionId();
        } catch (Throwable t) {
        }

    }
}

From source file:org.structr.rest.auth.AuthHelper.java

public static void doLogout(final HttpServletRequest request, final Principal user) throws FrameworkException {

    final HttpSession session = request.getSession(false);

    // We need a session to logout a user
    if (session != null) {

        SessionHelper.clearSession(session.getId());

        SessionHelper.invalidateSession(session);

        Actions.call(Actions.NOTIFICATION_LOGOUT, user);

        try {/*  ww  w.j  a  v  a 2 s  .  co  m*/
            request.logout();
            request.changeSessionId();
        } catch (Throwable t) {
        }

    }
}

From source file:org.structr.rest.auth.SessionHelper.java

public static Principal checkSessionAuthentication(final HttpServletRequest request) throws FrameworkException {

    String requestedSessionId = request.getRequestedSessionId();
    String sessionId = null;//  w w w  .ja  v a 2  s  .c  o  m

    logger.debug("0. Requested session id: " + requestedSessionId + ", request says is valid? "
            + request.isRequestedSessionIdValid());

    //HttpSession session       = request.getSession(false);
    boolean isNotTimedOut = false;

    if (requestedSessionId == null) {

        logger.debug("1b. Empty requested session id, creating a new one.");

        // No session id requested => create new session
        SessionHelper.newSession(request);

        // Store info in request that session is new => saves us a lookup later
        request.setAttribute(SESSION_IS_NEW, true);

        // we just created a totally new session, there can't
        // be a user with this session ID, so don't search.
        return null;

    } else {

        requestedSessionId = getShortSessionId(requestedSessionId);

        // Existing session id, check if we have an existing session
        if (request.getSession(false) != null) {

            logger.debug("1a. Requested session id without worker id suffix: " + requestedSessionId);

            sessionId = request.getSession(false).getId();
            logger.debug("2a. Current session id: " + sessionId);

            if (sessionId.equals(requestedSessionId)) {

                logger.debug("3a. Current session id equals requested session id");
            } else {

                logger.debug("3b. Current session id does not equal requested session id.");
            }

        } else {

            logger.debug("2b. Current session is null.");

            // Try to find session in session cache
            if (getSessionBySessionId(requestedSessionId) == null) {

                // Not found, create new
                SessionHelper.newSession(request);
                logger.debug("3a. Created new session");

                // remove session ID without session
                SessionHelper.clearSession(requestedSessionId);
                logger.debug("4. Cleared unknown session " + requestedSessionId);

                // we just created a totally new session, there can't
                // be a user with this session ID, so don't search.
                return null;

            } else {
                logger.debug("3b. Session with requested id " + requestedSessionId + " found, continuing.");

                sessionId = requestedSessionId;

            }

        }

        if (SessionHelper.isSessionTimedOut(request.getSession(false))) {

            isNotTimedOut = false;

            // invalidate session
            SessionHelper.invalidateSession(sessionId);

            // remove invalid session ID
            SessionHelper.clearSession(sessionId);

            logger.debug("4a. Cleared timed-out session " + sessionId);

            SessionHelper.newSession(request);
            // we just created a totally new session, there can't
            // be a user with this session ID, so don't search.
            return null;

        } else {

            logger.debug("4b. Session " + sessionId + " is not timed-out.");

            isNotTimedOut = true;
        }
    }

    if (isNotTimedOut) {

        final Principal user = AuthHelper.getPrincipalForSessionId(sessionId);
        //logger.debug("Valid session found: {}, last accessed {}, authenticated with user {}", new Object[]{session, session.getLastAccessedTime(), user});

        return user;

    } else {

        final Principal user = AuthHelper.getPrincipalForSessionId(sessionId);
        if (user != null) {

            //logger.info("Timed-out session: {}, last accessed {}, authenticated with user {}", new Object[]{session, (session != null ? session.getLastAccessedTime() : ""), user});
            logger.debug("Logging out user {}", new Object[] { user });
            AuthHelper.doLogout(request, user);
            try {
                request.logout();
            } catch (Throwable t) {
            }
        }

        SessionHelper.newSession(request);

        return null;
    }
}