ApiSessionExpirationFilter.java

package org.molgenis.security.session;

import org.molgenis.security.core.utils.SecurityUtils;
import org.molgenis.security.login.MolgenisLoginController;
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * Check if the requested sessionId is valid for an api call.
 * <p>
 * If No JSESSIONID is provided it session is valid.
 * <p>
 * If session is invalid a 401 is returned to the client.
 * <p>
 * Because the REST api doesn't need authentication this Filter must be used in addition to the
 * AjaxAwareLoginUrlAuthenticationEntryPoint that only works on protected urls.
 */
public class ApiSessionExpirationFilter extends GenericFilterBean
{
	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			throws IOException, ServletException
	{
		HttpServletRequest httpRequest = (HttpServletRequest) request;

		if (!SecurityUtils.currentUserIsAuthenticated() && httpRequest.getRequestURI().startsWith("/api/")
				&& SecurityUtils.isSessionExpired(httpRequest) && !httpRequest.getRequestURI()
				.startsWith("/api/v1/login") && !httpRequest.getRequestURI().startsWith("/api/v1/logout")
				&& !httpRequest.getRequestURI().startsWith("/api/v2/version"))
		{
			// Signal that the 'session expired' message must be shown in the login form
			httpRequest.getSession().setAttribute(MolgenisLoginController.SESSION_EXPIRED_SESSION_ATTR, true);
		}
		chain.doFilter(request, response);
	}

}