Skip to content

Persistent OpenId sessions can throw IllegalStateException #8330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lachlan-roberts opened this issue Jul 25, 2022 · 1 comment · Fixed by #8792
Closed

Persistent OpenId sessions can throw IllegalStateException #8330

lachlan-roberts opened this issue Jul 25, 2022 · 1 comment · Fixed by #8792
Labels
Bug For general bugs on Jetty side

Comments

@lachlan-roberts
Copy link
Contributor

Jetty version(s)
all

Description
After persisting an OpenId session to the SessionDataStore the user identity is lost as it is a transient field in SessionAuthentication. This is causing an ISE when the Authenticator tries to revalidate the userIdentity of the SessionAuthentication saved at the SessionAuthentication.__J_AUTHENTICATED attribute.

java.lang.IllegalStateException: !UserIdentity
	at org.eclipse.jetty.security@10.0.12-SNAPSHOT/org.eclipse.jetty.security.authentication.SessionAuthentication.getUserIdentity(SessionAuthentication.java:62)
	at org.eclipse.jetty.security.openid@10.0.12-SNAPSHOT/org.eclipse.jetty.security.openid.OpenIdAuthenticator.validateRequest(OpenIdAuthenticator.java:463)
	at org.eclipse.jetty.security@10.0.12-SNAPSHOT/org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:58)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1633)
	at org.eclipse.jetty.security.openid@10.0.12-SNAPSHOT/org.eclipse.jetty.security.openid.OpenIdAuthenticationTest$HomePage.doGet(OpenIdAuthenticationTest.java:225)
	at jetty.servlet.api@4.0.6/javax.servlet.http.HttpServlet.service(HttpServlet.java:503)
	at jetty.servlet.api@4.0.6/javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at org.eclipse.jetty.security@10.0.12-SNAPSHOT/org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server@10.0.12-SNAPSHOT/org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378)

How to reproduce?
I have a test case to reproduce this on the branch https://github.com/eclipse/jetty.project/blob/jetty-10.0.x-OpenIdSessionSerialization

https://github.com/eclipse/jetty.project/blob/023f194f7a975d256776bdd284cd9c2ef4112762/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java#L164-L176
@lachlan-roberts lachlan-roberts added the Bug For general bugs on Jetty side label Jul 25, 2022
@lachlan-roberts
Copy link
Contributor Author

@janbartel thoughts?

lachlan-roberts added a commit that referenced this issue Nov 1, 2022
@lachlan-roberts
Issue #8330 - fix persistence of sessions in OpenID
c60f38f 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Nov 1, 2022
Merged
@joakime joakime moved this from To do to 🔖 Review in progress in Jetty 10.0.13 / 11.0.13 - FROZEN Nov 9, 2022
@joakime joakime moved this from 🔖 Review in progress to To do in Jetty 10.0.13 / 11.0.13 - FROZEN Nov 9, 2022
Repository owner moved this from To do to ✅ Done in Jetty 10.0.13 / 11.0.13 - FROZEN Nov 10, 2022
lachlan-roberts added a commit that referenced this issue Nov 10, 2022
@lachlan-roberts
Merge pull request #8792 from eclipse/jetty-10.0.x-OpenIdSessionSeria…

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
4f633e9 
…lization

Issue #8330 - fix IllegalStateException from using OpenID with SessionDatastore
lachlan-roberts added a commit that referenced this issue Nov 10, 2022
@lachlan-roberts
Issue #8330 - port openid changes to ee10
3c9b912 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@olamy olamy mentioned this issue Dec 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For general bugs on Jetty side
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue #8330 - fix IllegalStateException from using OpenID with SessionDatastore jetty/jetty.project
1 participant
@lachlan-roberts