jetty.project
jetty.project copied to clipboard
Published
20 hours ago •
jetty
jetty
Persistent OpenId sessions can throw IllegalStateException
Jetty version(s) all
Description
After persisting an OpenId session to the SessionDataStore the user identity is lost as it is a transient field in SessionAuthentication. This is causing an ISE when the Authenticator tries to revalidate the userIdentity of the SessionAuthentication saved at the SessionAuthentication.__J_AUTHENTICATED attribute.
java.lang.IllegalStateException: !UserIdentity
at [email protected]/org.eclipse.jetty.security.authentication.SessionAuthentication.getUserIdentity(SessionAuthentication.java:62)
at [email protected]/org.eclipse.jetty.security.openid.OpenIdAuthenticator.validateRequest(OpenIdAuthenticator.java:463)
at [email protected]/org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:58)
at [email protected]/org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1633)
at [email protected]/org.eclipse.jetty.security.openid.OpenIdAuthenticationTest$HomePage.doGet(OpenIdAuthenticationTest.java:225)
at [email protected]/javax.servlet.http.HttpServlet.service(HttpServlet.java:503)
at [email protected]/javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
at [email protected]/org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
at [email protected]/org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549)
at [email protected]/org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at [email protected]/org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
at [email protected]/org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
at [email protected]/org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at [email protected]/org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378)
How to reproduce? I have a test case to reproduce this on the branch https://github.com/eclipse/jetty.project/blob/jetty-10.0.x-OpenIdSessionSerialization
https://github.com/eclipse/jetty.project/blob/023f194f7a975d256776bdd284cd9c2ef4112762/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java#L164-L176
