RestSecurityBeanImpl.java

/**
 * <a href="http://www.openolat.org">
 * OpenOLAT - Online Learning and Training</a><br>
 * <p>
 * Licensed under the Apache License, Version 2.0 (the "License"); <br>
 * you may not use this file except in compliance with the License.<br>
 * You may obtain a copy of the License at the
 * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
 * <p>
 * Unless required by applicable law or agreed to in writing,<br>
 * software distributed under the License is distributed on an "AS IS" BASIS, <br>
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
 * See the License for the specific language governing permissions and <br>
 * limitations under the License.
 * <p>
 * Initial code contributed and copyrighted by<br>
 * frentix GmbH, http://www.frentix.com
 * <p>
 */
package org.olat.restapi.security;

import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;

import javax.servlet.http.HttpSession;

import org.olat.basesecurity.Authentication;
import org.olat.basesecurity.BaseSecurity;
import org.olat.basesecurity.manager.AuthenticationDAO;
import org.olat.core.id.Identity;
import org.olat.core.util.StringHelper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

/**
 * 
 * Manage a mapping between the security token generated by
 * OpenOLAT and HTTP sessions. The security token are saved on
 * the database using the Authentication table with the specific
 * provider "REST".</br>
 * 
 * <P>
 * Initial Date:  7 apr. 2010 <br>
 * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
 */
@Service("restSecurityBean")
public class RestSecurityBeanImpl implements RestSecurityBean {
	
	public static final String REST_AUTH_PROVIDER = "REST";

	private Map<String,Long> tokenToIdentity = new ConcurrentHashMap<String,Long>();
	private Map<String,List<String>> tokenToSessionIds = new ConcurrentHashMap<String,List<String>>();
	private Map<String,String> sessionIdToTokens = new ConcurrentHashMap<String,String>();
	
	@Autowired
	private BaseSecurity securityManager;
	@Autowired
	private AuthenticationDAO authenticationDao;

	@Override
	public String generateToken(Identity identity, HttpSession session) {
		String token = UUID.randomUUID().toString();
		tokenToIdentity.put(token, identity.getKey());
		bindTokenToSession(token, session);
		
		Authentication auth = securityManager.findAuthentication(identity, REST_AUTH_PROVIDER);
		if(auth == null) {
			auth = securityManager.createAndPersistAuthentication(identity, REST_AUTH_PROVIDER, identity.getName(), token, null);
		} else {
			authenticationDao.updateCredential(auth, token);
		}
		return token;
	}

	@Override
	public String renewToken(String token) {
		return token;
	}

	@Override
	public boolean isTokenRegistrated(String token, HttpSession session) {
		if(!StringHelper.containsNonWhitespace(token)) return false;
		boolean registrated = tokenToIdentity.containsKey(token);
		if(!registrated) {
			List<Authentication> auths = securityManager.findAuthenticationByToken(REST_AUTH_PROVIDER, token);
			if(auths.size() == 1) {
				Authentication auth = auths.get(0);
				tokenToIdentity.put(token, auth.getIdentity().getKey());
				bindTokenToSession(token, session);
				registrated = true;
			}
		}
		return registrated;
	}
	
	@Override
	public Identity getIdentity(String token) {
		if(!StringHelper.containsNonWhitespace(token)) {
			return null;
		}
		Long identityKey = tokenToIdentity.get(token);
		if(identityKey == null) {
			return null;
		}
		return securityManager.loadIdentityByKey(identityKey, false);
	}

	@Override
	public void bindTokenToSession(String token, HttpSession session) {
		if(!StringHelper.containsNonWhitespace(token) || session == null) {
			return;
		}
		
		String sessionId = session.getId();
		synchronized(tokenToSessionIds) {//cluster notOK -> need probably a mapping on the DB
			if(!tokenToSessionIds.containsKey(token)) {
				List<String> sessionIds = new ArrayList<String>();
				sessionIds.add(session.getId());
				tokenToSessionIds.put(token, sessionIds);
			} else {
				List<String> sessionIds = tokenToSessionIds.get(token);
				if(!sessionIds.contains(sessionId)) {
					sessionIds.add(session.getId());
				}
			}
			sessionIdToTokens.put(sessionId, token);
		}
	}

	@Override
	public void unbindTokenToSession(HttpSession session) {
		synchronized(tokenToSessionIds) {//cluster notOK -> need probably a mapping on the DB
			String sessionId = session.getId();
			String token = sessionIdToTokens.remove(sessionId);
			if(token != null) {
				List<String> sessionIds = tokenToSessionIds.get(token);
				sessionIds.remove(sessionId);
				if(sessionIds.isEmpty()) {
					tokenToIdentity.remove(token);
					tokenToSessionIds.remove(token);
				}
			}
		}
	}

	@Override
	public int removeTooOldRestToken() {
		Calendar cal = Calendar.getInstance();
		cal.setTime(new Date());
		cal.add(Calendar.MONTH, -1);
		Date limit = cal.getTime();

		List<Authentication> authentications = securityManager.findOldAuthentication(REST_AUTH_PROVIDER, limit);
		for(Authentication authentication:authentications) {
			String token = authentication.getCredential();
			if(tokenToIdentity.containsKey(token)) {
				continue;//don't delete authentication in use
			}
			securityManager.deleteAuthentication(authentication);
		}
		return authentications.size();
	}

	public void clearCaches() {
		tokenToIdentity.clear();
		tokenToSessionIds.clear();
		sessionIdToTokens.clear();
	}
}