Java Code Examples for javax.servlet.http.HttpSession#invalidate()

The following examples show how to use javax.servlet.http.HttpSession#invalidate() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SecurityServiceImpl.java    From studio with GNU General Public License v3.0 6 votes vote down vote up
@Override
public boolean validateSession(HttpServletRequest request) throws ServiceLayerException {
    HttpSession httpSession = request.getSession();
    String authToken = getCurrentToken();
    String userName = getCurrentUser();

    if (userName != null) {

        UserDetails userDetails = this.userDetailsManager.loadUserByUsername(userName);

        if (SessionTokenUtils.validateToken(authToken, userDetails.getUsername())) {
            return true;
        }

    }

    httpSession.removeAttribute(HTTP_SESSION_ATTRIBUTE_AUTHENTICATION);
    httpSession.invalidate();
    return false;
}
 
Example 2
Source File: LogoutController.java    From auth-server with Apache License 2.0 6 votes vote down vote up
/**
 * <p>
 * One click logout. Invalidates the session.
 * </p>
 */
@PostMapping("/logout")
public String logout(HttpServletRequest request) {
  log.debug("Direct logout");

  // Current user was validated -> Clear securityContext
  SecurityContextHolder.getContext().setAuthentication(null);
  SecurityContextHolder.clearContext();

  // Invalidate session
  final HttpSession session = request.getSession(false);
  if (session != null) {
    session.invalidate();
  }

  return "redirect:/login?logout";
}
 
Example 3
Source File: HomeController.java    From popular-movie-store with Apache License 2.0 6 votes vote down vote up
@PostMapping("/logout")
public ModelAndView clear(ModelAndView modelAndView, HttpServletRequest request) {
    final String hostname = System.getenv().getOrDefault("HOSTNAME", "unknown");
    List<Movie> movies = movieDBHelper.getAll();

    List<MovieCartItem> movieList = movies.stream()
        .map((Movie movie) -> MovieCartItem.builder()
            .movie(movie)
            .quantity(0)
            .total(0)
            .build())
        .collect(Collectors.toList());

    HttpSession session = request.getSession(false);

    if (session != null) {
        log.info("Invalidating session:{}", session.getId());
        session.invalidate();
    }

    log.info("New Session");
    modelAndView.addObject("movies", movieList);
    modelAndView.setViewName("home");
    modelAndView.addObject("hostname", hostname);
    return modelAndView;
}
 
Example 4
Source File: SpringBootCsrfPreventionFilter.java    From camunda-bpm-spring-boot-starter with Apache License 2.0 6 votes vote down vote up
/**
 * Validates the provided CSRF token value from
 * the request with the session CSRF token value.
 *
 * @param request
 * @param response
 * @return true if the token is valid
 * @throws IOException
 */
protected boolean doTokenValidation(HttpServletRequest request, HttpServletResponse response) throws IOException {

  HttpSession session = request.getSession();
  String tokenHeader = getCSRFTokenHeader(request);
  String tokenSession = (String) getCSRFTokenSession(session);
  boolean isValid = true;

  if (isBlank(tokenHeader)) {
    session.invalidate();
    response.setHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME, CsrfConstants.CSRF_TOKEN_HEADER_REQUIRED);
    response.sendError(getDenyStatus(), "CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.");
    isValid = false;
  } else if (isBlank(tokenSession) || !tokenSession.equals(tokenHeader)) {
    session.invalidate();
    response.sendError(getDenyStatus(), "CSRFPreventionFilter: Invalid HTTP Header Token.");
    isValid = false;
  }

  return isValid;
}
 
Example 5
Source File: SessionManager.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
    * Unregisteres the session for the given user.
    */
   public static void removeSessionByLogin(String login, boolean invalidate) {
HttpSession session = SessionManager.loginMapping.get(login);
if (session == null) {
    return;
}
SessionManager.loginMapping.remove(login);

if (invalidate) {
    try {
	session.invalidate();
    } catch (Exception e) {
	log.warn("SessionMananger invalidation exception", e);
	// if it was already invalidated, do nothing
    }
}
   }
 
Example 6
Source File: WebauthnService.java    From fido2 with GNU Lesser General Public License v2.1 6 votes vote down vote up
@POST
@Path("/" + Constants.RP_LOGOUT_PATH)
@Produces({MediaType.APPLICATION_JSON})
public Response logout() {
    try {
        HttpSession session = request.getSession(false);
        if (session == null) {
            return generateResponse(Response.Status.OK, "");
        }
        session.invalidate();
        return generateResponse(Response.Status.OK, "");
    } catch (Exception ex) {
        ex.printStackTrace();
        WebauthnTutorialLogger.logp(Level.SEVERE, CLASSNAME, "isLoggedIn", "WEBAUTHN-WS-ERR-1000", ex.getLocalizedMessage());
        return generateResponse(Response.Status.INTERNAL_SERVER_ERROR,
                WebauthnTutorialLogger.getMessageProperty("WEBAUTHN-WS-ERR-1000"));
    }
}
 
Example 7
Source File: HttpManagementUtil.java    From qpid-broker-j with Apache License 2.0 5 votes vote down vote up
public static void invalidateSession(HttpSession session)
{
    try
    {
        session.invalidate();
    }
    catch (IllegalStateException e)
    {
        // session was already invalidated
    }
}
 
Example 8
Source File: SessionResource.java    From shiro-jersey with Apache License 2.0 5 votes vote down vote up
/**
 * Invalidate the session without logging out the Shiro subject. For testing the remember me token.
 */
@DELETE
public String invalidateHttpSession() {
    HttpSession session = request.getSession(false);
    if (session == null) throw new WebApplicationException(Status.BAD_REQUEST);

    session.invalidate();
    return "session invalidated";
}
 
Example 9
Source File: SessionResource.java    From shiro-jersey with Apache License 2.0 5 votes vote down vote up
/**
 * Invalidate the session without logging out the Shiro subject. For testing the remember me token.
 */
@DELETE
public String invalidateHttpSession() {
    HttpSession session = request.getSession(false);
    if (session == null) throw new WebApplicationException(Status.BAD_REQUEST);

    session.invalidate();
    return "session invalidated";
}
 
Example 10
Source File: LoginServlet.java    From Java-EE-VulnWeb with MIT License 5 votes vote down vote up
/**
 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
 *      response)
 */
protected void doPost(HttpServletRequest request, HttpServletResponse response)
		throws ServletException, IOException {
	BusinessServer bs = new BusinessServerImpl();
	String username = request.getParameter("username");
	String password = request.getParameter("password");
	if(username.equals("")||password.equals("")) {
		request.setAttribute("message", "用户名或密码为空");
		request.getRequestDispatcher("/message.jsp").forward(request, response);
		return;
	}
	HttpSession session = request.getSession(false);
	User user = new User();
	try {
		user = bs.loginUser(username, password);
	} catch (SQLException e) {
		request.setAttribute("message", "未知错误");
		request.getRequestDispatcher("/message.jsp").forward(request, response);
		return;
	}
	if (user != null) {
		request.setAttribute("message", "登录成功");
		session.invalidate();
		session = request.getSession();
		request.setAttribute("user", user);
		request.getRequestDispatcher("/message.jsp").forward(request, response);
		return;
	}
	request.setAttribute("message", "用户名或密码错误");
	request.getRequestDispatcher("/message.jsp").forward(request, response);
	return;
}
 
Example 11
Source File: BaseAuthenticationFilter.java    From alfresco-remote-api with GNU Lesser General Public License v3.0 5 votes vote down vote up
/**
 * Remove the user from the session and expire the session - after failed ticket auth.
 * 
 * @param req HttpServletRequest
 */
protected void invalidateSession(HttpServletRequest req)
{
    HttpSession session = req.getSession(false);
    if (session != null)
    {
        setExternalAuth(session, false);
        session.removeAttribute(getUserAttributeName());
        session.invalidate();
    }
}
 
Example 12
Source File: LogoutServlet.java    From getting-started-java with Apache License 2.0 5 votes vote down vote up
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
    throws IOException, ServletException {
  // you can also make an authenticated request to logout, but here we choose to
  // simply delete the session variables for simplicity
  HttpSession session =  req.getSession(false);
  if (session != null) {
    session.invalidate();
  }
  // rebuild session
  req.getSession();
}
 
Example 13
Source File: OIDCFilterSessionStore.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void checkCurrentToken() {
    HttpSession httpSession = request.getSession(false);
    if (httpSession == null) return;
    SerializableKeycloakAccount account = (SerializableKeycloakAccount)httpSession.getAttribute(KeycloakAccount.class.getName());
    if (account == null) {
        return;
    }

    RefreshableKeycloakSecurityContext session = account.getKeycloakSecurityContext();
    if (session == null) return;

    // just in case session got serialized
    if (session.getDeployment() == null) session.setCurrentRequestInfo(deployment, this);

    if (session.isActive() && !session.getDeployment().isAlwaysRefreshToken()) return;

    // FYI: A refresh requires same scope, so same roles will be set.  Otherwise, refresh will fail and token will
    // not be updated
    boolean success = session.refreshExpiredToken(false);
    if (success && session.isActive()) return;

    // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
    //log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh");
    cleanSession(httpSession);
    httpSession.invalidate();
}
 
Example 14
Source File: HttpSessionManager.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void logoutAll() {
    log.info("Received request to log out all users.");
    for (HttpSession session : sessions.getAll()) {
        session.invalidate();
    }
    sessions.clear();
}
 
Example 15
Source File: TomcatTestServer.java    From olingo-odata4 with Apache License 2.0 5 votes vote down vote up
public static void invalidateAllSession() {
  synchronized (ALL_SESSIONS) {
    LOG.info("Invalidated sessions...");
    for (Map.Entry<ServletContext, Set<HttpSession>> e : ALL_SESSIONS.entrySet()) {
      for (HttpSession s : e.getValue()) {
        s.invalidate();
      }
    }
    ALL_SESSIONS.clear();
    LOG.info("...Invalidated all sessions.");
  }
}
 
Example 16
Source File: UserController.java    From ssm-demo with Apache License 2.0 5 votes vote down vote up
/**
 * 退出系统
 *
 * @return
 * @throws Exception
 */
@RequestMapping("/logout")
public String logout(HttpSession session) throws Exception {
    session.invalidate();
    log.info("request: user/logout");
    return "redirect:/login.jsp";
}
 
Example 17
Source File: UserController.java    From Photo with GNU General Public License v3.0 5 votes vote down vote up
/**
 * 退出
 * @param session
 * @return
 */
@RequestMapping("logout")
@ResponseBody
public ReturnResult logout(HttpSession session) {
	session.invalidate();
	return returnResult.setStatus(ReturnCodeType.SUCCESS);
}
 
Example 18
Source File: UserControll.java    From rebuild with GNU General Public License v3.0 4 votes vote down vote up
@RequestMapping("enable-user")
public void enableUser(HttpServletRequest request, HttpServletResponse response) throws IOException {
	JSONObject data = (JSONObject) ServletUtils.getRequestJson(request);
	
	ID user = ID.valueOf(data.getString("user"));
	User u = Application.getUserStore().getUser(user);
	final boolean beforeDisabled = u.isDisabled();
	
	ID deptNew = null;
	ID roleNew = null;
	if (data.containsKey("dept")) {
		deptNew = ID.valueOf(data.getString("dept"));
		if (u.getOwningDept() != null && u.getOwningDept().getIdentity().equals(deptNew)) {
			deptNew = null;
		}
	}
	if (data.containsKey("role")) {
		roleNew = ID.valueOf(data.getString("role"));
		if (u.getOwningRole() != null && u.getOwningRole().getIdentity().equals(roleNew)) {
			roleNew = null;
		}
	}
	
	Boolean enableNew = null;
	if (data.containsKey("enable")) {
		enableNew = data.getBoolean("enable");
	}
	
	Application.getBean(UserService.class).updateEnableUser(user, deptNew, roleNew, enableNew);

	// 是否需要发送激活通知
	u = Application.getUserStore().getUser(user);
	if (beforeDisabled && u.isActive() && SMSender.availableMail() && u.getEmail() != null) {
		Object did = Application.createQuery(
				"select logId from LoginLog where user = ?")
				.setParameter(1, u.getId())
				.unique();
		if (did == null) {
			String homeUrl = SysConfiguration.getHomeUrl();
			String content = Languages.defaultBundle().formatLang("NewUserAccountActive",
                       u.getFullName(), homeUrl, homeUrl);
			SMSender.sendMailAsync(u.getEmail(),
                       Languages.defaultBundle().lang("YourAccountActive"), content);
		}
	}

	// 登录失效
	if (!u.isActive()) {
		HttpSession s = Application.getSessionStore().getSession(u.getId());
		if (s != null) {
			LOG.warn("Force destroy user session : " + u.getId());
			s.invalidate();
		}
	}
	
	writeSuccess(response);
}
 
Example 19
Source File: DefaultLoginAPIAuthenticatorCmd.java    From cosmic with Apache License 2.0 4 votes vote down vote up
@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final InetAddress remoteAddress, final String responseType,
                           final StringBuilder auditTrailSb,
                           final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    // Disallow non POST requests
    if (HTTPMethod.valueOf(req.getMethod()) != HTTPMethod.POST) {
        throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "Please use HTTP POST to authenticate using this API");
    }
    // FIXME: ported from ApiServlet, refactor and cleanup
    final String[] username = (String[]) params.get(ApiConstants.USERNAME);
    final String[] password = (String[]) params.get(ApiConstants.PASSWORD);
    String[] domainIdArr = (String[]) params.get(ApiConstants.DOMAIN_ID);

    if (domainIdArr == null) {
        domainIdArr = (String[]) params.get(ApiConstants.DOMAIN__ID);
    }
    final String[] domainName = (String[]) params.get(ApiConstants.DOMAIN);
    Long domainId = null;
    if ((domainIdArr != null) && (domainIdArr.length > 0)) {
        try {
            //check if UUID is passed in for domain
            domainId = _apiServer.fetchDomainId(domainIdArr[0]);
            if (domainId == null) {
                domainId = Long.parseLong(domainIdArr[0]);
            }
            auditTrailSb.append(" domainid=" + domainId);// building the params for POST call
        } catch (final NumberFormatException e) {
            s_logger.warn("Invalid domain id entered by user");
            auditTrailSb.append(" " + HttpServletResponse.SC_UNAUTHORIZED + " " + "Invalid domain id entered, please enter a valid one");
            throw new ServerApiException(ApiErrorCode.UNAUTHORIZED,
                    _apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid domain id entered, please enter a valid one", params,
                            responseType));
        }
    }

    String domain = null;
    if (domainName != null) {
        domain = domainName[0];
        auditTrailSb.append(" domain=" + domain);
        if (domain != null) {
            // ensure domain starts with '/' and ends with '/'
            if (!domain.endsWith("/")) {
                domain += '/';
            }
            if (!domain.startsWith("/")) {
                domain = "/" + domain;
            }
        }
    }

    String serializedResponse = null;
    if (username != null) {
        final String pwd = ((password == null) ? null : password[0]);
        try {
            return ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, username[0], pwd, domainId, domain, remoteAddress, params),
                    responseType);
        } catch (final CloudAuthenticationException ex) {
            // TODO: fall through to API key, or just fail here w/ auth error? (HTTP 401)
            try {
                session.invalidate();
            } catch (final IllegalStateException ise) {
            }
            auditTrailSb.append(" " + ApiErrorCode.ACCOUNT_ERROR + " " + ex.getMessage() != null ? ex.getMessage()
                    : "failed to authenticate user, check if username/password are correct");
            serializedResponse =
                    _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), ex.getMessage() != null ? ex.getMessage()
                            : "failed to authenticate user, check if username/password are correct", params, responseType);
        }
    }
    // We should not reach here and if we do we throw an exception
    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, serializedResponse);
}
 
Example 20
Source File: SakaiCasAuthenticationFilter.java    From sakai with Educational Community License v2.0 4 votes vote down vote up
public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
    final HttpServletRequest request = (HttpServletRequest) servletRequest;
    final HttpServletResponse response = (HttpServletResponse) servletResponse;
    
    if (isRequestUrlExcluded(request)) {
        log.debug("Request is ignored.");
        filterChain.doFilter(request, response);
        return;
    }
    
    final HttpSession session = request.getSession(false);
    final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

    if (assertion != null && loggedOutOfSakai()) {
        log.debug("found a CAS assertion and we are logged out of Sakai. Invalidating the session so we don't get logged back on by an old assertion.");
        session.invalidate();
    }  else if (assertion != null) {
        filterChain.doFilter(request, response);
        return;
    }

    final String serviceUrl = constructServiceUrl(request, response);
    final String ticket = retrieveTicketFromRequest(request);
    final boolean wasGatewayed = this.gateway && this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);

    if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
        filterChain.doFilter(request, response);
        return;
    }

    final String modifiedServiceUrl;

    log.debug("no ticket and no assertion found");
    if (this.gateway) {
        log.debug("setting gateway attribute in session");
        modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
    } else {
        modifiedServiceUrl = serviceUrl;
    }

    if (log.isDebugEnabled()) {
    	log.debug("Constructed service url: {}", modifiedServiceUrl);
    }

    final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getProtocol().getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);

    if (log.isDebugEnabled()) {
    	log.debug("redirecting to \"{}\"", urlToRedirectTo);
    }
    this.authenticationRedirectStrategy.redirect(request, response, urlToRedirectTo);
}