org.vaadin.spring.security.managed.DefaultVaadinManagedSecurity.java Source code

Java tutorial

Introduction

Here is the source code for org.vaadin.spring.security.managed.DefaultVaadinManagedSecurity.java

Source

/*
 * Copyright 2015, 2016 The original authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.vaadin.spring.security.managed;

import java.util.HashSet;
import java.util.Set;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.vaadin.spring.security.AbstractVaadinSecurity;

import com.vaadin.server.*;
import com.vaadin.shared.ui.ui.Transport;
import com.vaadin.ui.UI;

/**
 * Default implementation of {@link org.vaadin.spring.security.managed.VaadinManagedSecurity}.
 *
 * @author Petter Holmstrm (petter@vaadin.com)
 */
public class DefaultVaadinManagedSecurity extends AbstractVaadinSecurity implements VaadinManagedSecurity {

    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultVaadinManagedSecurity.class);

    public static final String REINITIALIZE_SESSION_AFTER_LOGIN_PROPERTY = "vaadin.spring.security.managed.reinitialize-session-after-login";

    public DefaultVaadinManagedSecurity() {
        LOGGER.info("Using Vaadin Managed Security");
    }

    /**
     * Returns whether the current session should be reinitialized after a successful login. Default is true.
     * Can be disabled by setting the "{@value #REINITIALIZE_SESSION_AFTER_LOGIN_PROPERTY}" environment property to
     * false. If Websocket Push is used, the session will never be reinitialized since this throws errors on at least
     * Tomcat 8.
     */
    protected boolean isReinitializeSessionAfterLogin() {
        return getApplicationContext().getEnvironment().getProperty(REINITIALIZE_SESSION_AFTER_LOGIN_PROPERTY,
                Boolean.class, true);
    }

    @Override
    public Authentication login(Authentication authentication) throws AuthenticationException {
        LOGGER.debug("Authenticating using {}", authentication);
        final Authentication fullyAuthenticated = getAuthenticationManager().authenticate(authentication);
        if (isReinitializeSessionAfterLogin()) {
            clearAndReinitializeSession();
        }
        SecurityContext context = SecurityContextHolder.getContext();
        LOGGER.debug("Setting authentication of context {} to {}", context, fullyAuthenticated);
        context.setAuthentication(fullyAuthenticated);
        return fullyAuthenticated;
    }

    /**
     * Clears the session of all attributes except some internal Vaadin attributes and reinitializes it. If Websocket
     * Push is used, the session will never be reinitialized since this throws errors on at least
     * Tomcat 8.
     */
    protected void clearAndReinitializeSession() {
        final VaadinRequest currentRequest = VaadinService.getCurrentRequest();
        final UI currentUI = UI.getCurrent();
        if (currentUI != null) {
            final Transport transport = currentUI.getPushConfiguration().getTransport();
            if (Transport.WEBSOCKET.equals(transport) || Transport.WEBSOCKET_XHR.equals(transport)) {
                LOGGER.warn(
                        "Clearing and reinitializing the session is currently not supported when using Websocket Push.");
                return;
            }
        }
        if (currentRequest != null) {
            LOGGER.debug("Clearing the session");
            final WrappedSession session = currentRequest.getWrappedSession();
            final String serviceName = VaadinService.getCurrent().getServiceName();
            final Set<String> attributesToSpare = new HashSet<String>();
            attributesToSpare.add(serviceName + ".lock");
            attributesToSpare.add(VaadinSession.class.getName() + "." + serviceName);
            for (String s : currentRequest.getWrappedSession().getAttributeNames()) {
                if (!attributesToSpare.contains(s)) {
                    LOGGER.trace("Removing attribute {} from session", s);
                    session.removeAttribute(s);
                }
            }
            LOGGER.debug("Reinitializing the session {}", session.getId());
            VaadinService.reinitializeSession(currentRequest);
            LOGGER.debug("Session reinitialized, new ID is {}",
                    VaadinService.getCurrentRequest().getWrappedSession().getId());
        } else {
            LOGGER.warn(
                    "No VaadinRequest bound to current thread, could NOT clear/reinitialize the session after login");
        }
    }

    @Override
    public void logout() {
        VaadinSession.getCurrent().close();
        Page.getCurrent().reload();
    }

    @Override
    public void logout(String logoutUrl) {
        VaadinSession.getCurrent().close();
        Page.getCurrent().setLocation(logoutUrl);
    }

    @Override
    public Authentication getAuthentication() {
        final SecurityContext securityContext = SecurityContextHolder.getContext();
        return securityContext.getAuthentication();
    }
}