[ELY-2413] Re-authentication after reboot, even though HttpSession ar…

…e persisted
wildfly-security · Sep 5, 2022 · e0ca0f5 · e0ca0f5
1 parent d25f9f6
commit e0ca0f5
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 0 deletions.
diff --git a/auth/server/base/src/main/java/org/wildfly/security/authz/Roles.java b/auth/server/base/src/main/java/org/wildfly/security/authz/Roles.java
@@ -20,6 +20,7 @@
 
 import static org.wildfly.common.Assert.checkNotNullParam;
 import static org.wildfly.common.Assert.checkNotEmptyParam;
+
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.Set;

diff --git a/auth/server/base/src/main/java/org/wildfly/security/cache/CachedIdentity.java b/auth/server/base/src/main/java/org/wildfly/security/cache/CachedIdentity.java
@@ -22,8 +22,13 @@
 
 import java.io.Serializable;
 import java.security.Principal;
+import java.util.HashSet;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.Set;
 
 import org.wildfly.security.auth.server.SecurityIdentity;
+import org.wildfly.security.authz.Roles;
 
 /**
  * Represents a cached identity, managed by an {@link IdentityCache}.
@@ -41,6 +46,7 @@ public final class CachedIdentity implements Serializable {
     private final boolean programmatic;
     private final String name;
     private final transient SecurityIdentity securityIdentity;
+    private final Set<String> roles;
 
     /**
      * Creates a new instance based on the given <code>mechanismName</code> and <code>securityIdentity</code>.
@@ -64,11 +70,45 @@ public CachedIdentity(String mechanismName, boolean programmatic, Principal prin
         this(mechanismName, programmatic, null, principal);
     }
 
+    /**
+     * Creates a new instance based on the given <code>mechanismName</code> and <code>principal</code>.
+     *
+     * @param mechanismName the name of the authentication mechanism used to authenticate/authorize the identity
+     * @param programmatic indicates if this identity was created as a result of programmatic authentication
+     * @param principal the principal of this cached identity
+     * @param roles the roles assigned to this cached identity
+     */
+    public CachedIdentity(String mechanismName, boolean programmatic, Principal principal, Set<String> roles) {
+        this(mechanismName, programmatic, null, principal, roles);
+    }
+
     private CachedIdentity(String mechanismName, boolean programmatic, SecurityIdentity securityIdentity, Principal principal) {
         this.mechanismName = checkNotNullParam("mechanismName", mechanismName);
         this.programmatic = programmatic;
         this.name = checkNotNullParam("name", checkNotNullParam("principal", principal).getName());
         this.securityIdentity = securityIdentity;
+        if (securityIdentity != null && securityIdentity.getPrincipal() != null) {
+            this.roles = rolesToSet(securityIdentity.getRoles());
+        } else {
+            this.roles = Collections.emptySet();
+        }
+    }
+
+    private CachedIdentity(String mechanismName, boolean programmatic, SecurityIdentity securityIdentity, Principal principal, Set<String> roles) {
+        this.mechanismName = checkNotNullParam("mechanismName", mechanismName);
+        this.programmatic = programmatic;
+        this.name = checkNotNullParam("name", checkNotNullParam("principal", principal).getName());
+        this.securityIdentity = securityIdentity;
+        this.roles = roles;
+    }
+
+    private Set<String> rolesToSet(Roles roles) {
+        Iterator<String> iterator = roles.iterator();
+        Set<String> resultSet = new HashSet<>();
+        while (iterator.hasNext()) {
+            resultSet.add(iterator.next());
+        }
+        return resultSet;
     }
 
     /**
@@ -107,6 +147,19 @@ public boolean isProgrammatic() {
         return programmatic;
     }
 
+    /**
+     * Returns the roles associated with the cached identity.
+     *
+     * @return the roles associated with the cached identity.
+     */
+    public Set<String> getRoles() {
+        if (this.securityIdentity != null) {
+            return rolesToSet(this.securityIdentity.getRoles());
+        } else {
+            return this.roles;
+        }
+    }
+
     @Override
     public String toString() {
         return "CachedIdentity{" + mechanismName + ", '" + name + "', " + securityIdentity + ", " + programmatic + "}";

diff --git a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java
@@ -61,6 +61,7 @@
 import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
 import org.wildfly.security.auth.callback.IdentityCredentialCallback;
 import org.wildfly.security.auth.server.SecurityIdentity;
+import org.wildfly.security.authz.Roles;
 import org.wildfly.security.credential.Credential;
 import org.wildfly.security.credential.PasswordCredential;
 import org.wildfly.security.evidence.PasswordGuessEvidence;
@@ -112,6 +113,10 @@ protected SecurityIdentity mockSecurityIdentity(Principal p) {
             public Principal getPrincipal() {
                 return p;
             }
+            @Mock
+            public Roles getRoles() {
+                return Roles.NONE;
+            }
         }.getMockInstance();
     }