001/* 
002    Licensed to the Apache Software Foundation (ASF) under one
003    or more contributor license agreements.  See the NOTICE file
004    distributed with this work for additional information
005    regarding copyright ownership.  The ASF licenses this file
006    to you under the Apache License, Version 2.0 (the
007    "License"); you may not use this file except in compliance
008    with the License.  You may obtain a copy of the License at
009
010       http://www.apache.org/licenses/LICENSE-2.0
011
012    Unless required by applicable law or agreed to in writing,
013    software distributed under the License is distributed on an
014    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015    KIND, either express or implied.  See the License for the
016    specific language governing permissions and limitations
017    under the License.  
018 */
019package org.apache.wiki.auth;
020
021import org.apache.logging.log4j.LogManager;
022import org.apache.logging.log4j.Logger;
023import org.apache.wiki.api.core.Engine;
024import org.apache.wiki.api.core.Session;
025import org.apache.wiki.api.spi.Wiki;
026import org.apache.wiki.event.WikiEventListener;
027import org.apache.wiki.event.WikiEventManager;
028import org.apache.wiki.event.WikiSecurityEvent;
029import org.apache.wiki.util.comparators.PrincipalComparator;
030
031import javax.servlet.http.HttpServletRequest;
032import javax.servlet.http.HttpSession;
033import javax.servlet.http.HttpSessionEvent;
034import javax.servlet.http.HttpSessionListener;
035import java.security.Principal;
036import java.util.ArrayList;
037import java.util.Arrays;
038import java.util.Collection;
039import java.util.Map;
040import java.util.WeakHashMap;
041import java.util.concurrent.ConcurrentHashMap;
042
043/**
044 *  <p>Manages Sessions for different Engines.</p>
045 *  <p>The Sessions are stored both in the remote user HttpSession and in the SessionMonitor for the Engine.
046 *  This class must be configured as a session listener in the web.xml for the wiki web application.</p>
047 */
048public class SessionMonitor implements HttpSessionListener {
049
050    private static final Logger log = LogManager.getLogger( SessionMonitor.class );
051
052    /** Map with Engines as keys, and SessionMonitors as values. */
053    private static final ConcurrentHashMap< Engine, SessionMonitor > c_monitors = new ConcurrentHashMap<>();
054
055    /** Weak hashmap with HttpSessions as keys, and WikiSessions as values. */
056    private final Map< String, Session > m_sessions = new WeakHashMap<>();
057
058    private Engine m_engine;
059
060    private final PrincipalComparator m_comparator = new PrincipalComparator();
061
062    /**
063     * Returns the instance of the SessionMonitor for this wiki. Only one SessionMonitor exists per Engine.
064     *
065     * @param engine the wiki engine
066     * @return the session monitor
067     */
068    public static SessionMonitor getInstance( final Engine engine ) {
069        if( engine == null ) {
070            throw new IllegalArgumentException( "Engine cannot be null." );
071        }
072        SessionMonitor monitor = c_monitors.get( engine );
073        if( monitor == null ) {
074            monitor = new SessionMonitor( engine );
075            c_monitors.put( engine, monitor );
076        }
077
078        return monitor;
079    }
080
081    /** Construct the SessionListener */
082    public SessionMonitor() {
083    }
084
085    private SessionMonitor( final Engine engine ) {
086        m_engine = engine;
087    }
088
089    /**
090     *  Just looks for a WikiSession; does not create a new one.
091     * This method may return <code>null</code>, <em>and
092     * callers should check for this value</em>.
093     *
094     *  @param session the user's HTTP session
095     *  @return the WikiSession, if found
096     */
097    private Session findSession( final HttpSession session ) {
098        final String sid = ( session == null ) ? "(null)" : session.getId();
099        return findSession( sid );
100    }
101
102    /**
103     *  Just looks for a WikiSession; does not create a new one.
104     * This method may return <code>null</code>, <em>and
105     * callers should check for this value</em>.
106     *
107     *  @param sessionId the user's HTTP session id
108     *  @return the WikiSession, if found
109     */
110    private Session findSession( final String sessionId ) {
111        Session wikiSession = null;
112        final String sid = ( sessionId == null ) ? "(null)" : sessionId;
113        final Session storedSession = m_sessions.get( sid );
114
115        // If the weak reference returns a wiki session, return it
116        if( storedSession != null ) {
117            log.debug( "Looking up WikiSession for session ID={}... found it", sid );
118            wikiSession = storedSession;
119        }
120
121        return wikiSession;
122    }
123
124    /**
125     * <p>Looks up the wiki session associated with a user's Http session and adds it to the session cache. This method will return the
126     * "guest session" as constructed by {@link org.apache.wiki.api.spi.SessionSPI#guest(Engine)} if the HttpSession is not currently
127     * associated with a WikiSession. This method is guaranteed to return a non-<code>null</code> WikiSession.</p>
128     * <p>Internally, the session is stored in a HashMap; keys are the HttpSession objects, while the values are
129     * {@link java.lang.ref.WeakReference}-wrapped WikiSessions.</p>
130     *
131     * @param session the HTTP session
132     * @return the wiki session
133     */
134    public final Session find( final HttpSession session ) {
135        final Session wikiSession = findSession( session );
136        final String sid = ( session == null ) ? "(null)" : session.getId();
137        if( wikiSession == null ) {
138            return createGuestSessionFor( sid );
139        }
140
141        return wikiSession;
142    }
143
144    /**
145     * <p>Looks up the wiki session associated with a user's Http session and adds it to the session cache. This method will return the
146     * "guest session" as constructed by {@link org.apache.wiki.api.spi.SessionSPI#guest(Engine)} if the HttpSession is not currently
147     * associated with a WikiSession. This method is guaranteed to return a non-<code>null</code> WikiSession.</p>
148     * <p>Internally, the session is stored in a HashMap; keys are the HttpSession objects, while the values are
149     * {@link java.lang.ref.WeakReference}-wrapped WikiSessions.</p>
150     *
151     * @param sessionId the HTTP session
152     * @return the wiki session
153     */
154    public final Session find( final String sessionId ) {
155        final Session wikiSession = findSession( sessionId );
156        if( wikiSession == null ) {
157            return createGuestSessionFor( sessionId );
158        }
159
160        return wikiSession;
161    }
162
163    /**
164     * Creates a new session and stashes it
165     *
166     * @param sessionId id looked for before creating the guest session
167     * @return a new guest session
168     */
169    private Session createGuestSessionFor( final String sessionId ) {
170        log.debug( "Session for session ID={}... not found. Creating guestSession()", sessionId );
171        final Session wikiSession = Wiki.session().guest( m_engine );
172        synchronized( m_sessions ) {
173            m_sessions.put( sessionId, wikiSession );
174        }
175        return wikiSession;
176    }
177
178    /**
179     * Removes the wiki session associated with the user's HttpRequest from the session cache.
180     *
181     * @param request the user's HTTP request
182     */
183    public final void remove( final HttpServletRequest request ) {
184        if( request == null ) {
185            throw new IllegalArgumentException( "Request cannot be null." );
186        }
187        remove( request.getSession() );
188    }
189
190    /**
191     * Removes the wiki session associated with the user's HttpSession from the session cache.
192     *
193     * @param session the user's HTTP session
194     */
195    public final void remove( final HttpSession session ) {
196        if( session == null ) {
197            throw new IllegalArgumentException( "Session cannot be null." );
198        }
199        synchronized( m_sessions ) {
200            m_sessions.remove( session.getId() );
201        }
202    }
203
204    /**
205     * Returns the current number of active wiki sessions.
206     * @return the number of sessions
207     */
208    public final int sessions()
209    {
210        return userPrincipals().length;
211    }
212
213    /**
214     * <p>Returns the current wiki users as a sorted array of Principal objects. The principals are those returned by
215     * each WikiSession's {@link Session#getUserPrincipal()}'s method.</p>
216     * <p>To obtain the list of current WikiSessions, we iterate through our session Map and obtain the list of values,
217     * which are WikiSessions wrapped in {@link java.lang.ref.WeakReference} objects. Those <code>WeakReference</code>s
218     * whose <code>get()</code> method returns non-<code>null</code> values are valid sessions.</p>
219     *
220     * @return the array of user principals
221     */
222    public final Principal[] userPrincipals() {
223        final Collection<Principal> principals = new ArrayList<>();
224        synchronized ( m_sessions ) {
225            for ( final Session session : m_sessions.values()) {
226                principals.add( session.getUserPrincipal() );
227            }
228        }
229        final Principal[] p = principals.toArray( new Principal[0] );
230        Arrays.sort( p, m_comparator );
231        return p;
232    }
233
234    /**
235     * Registers a WikiEventListener with this instance.
236     *
237     * @param listener the event listener
238     * @since 2.4.75
239     */
240    public final synchronized void addWikiEventListener( final WikiEventListener listener ) {
241        WikiEventManager.addWikiEventListener( this, listener );
242    }
243
244    /**
245     * Un-registers a WikiEventListener with this instance.
246     *
247     * @param listener the event listener
248     * @since 2.4.75
249     */
250    public final synchronized void removeWikiEventListener( final WikiEventListener listener ) {
251        WikiEventManager.removeWikiEventListener( this, listener );
252    }
253
254    /**
255     * Fires a WikiSecurityEvent to all registered listeners.
256     *
257     * @param type  the event type
258     * @param principal the user principal associated with this session
259     * @param session the wiki session
260     * @since 2.4.75
261     */
262    protected final void fireEvent( final int type, final Principal principal, final Session session ) {
263        if( WikiEventManager.isListening( this ) ) {
264            WikiEventManager.fireEvent( this, new WikiSecurityEvent( this, type, principal, session ) );
265        }
266    }
267
268    /**
269     * Fires when the web container creates a new HTTP session.
270     * 
271     * @param se the HTTP session event
272     */
273    @Override
274    public void sessionCreated( final HttpSessionEvent se ) {
275        final HttpSession session = se.getSession();
276        log.debug( "Created session: " + session.getId() + "." );
277    }
278
279    /**
280     * Removes the user's WikiSession from the internal session cache when the web
281     * container destroys an HTTP session.
282     * @param se the HTTP session event
283     */
284    @Override
285    public void sessionDestroyed( final HttpSessionEvent se ) {
286        final HttpSession session = se.getSession();
287        for( final SessionMonitor monitor : c_monitors.values() ) {
288            final Session storedSession = monitor.findSession( session );
289            monitor.remove( session );
290            log.debug( "Removed session " + session.getId() + "." );
291            if( storedSession != null ) {
292                fireEvent( WikiSecurityEvent.SESSION_EXPIRED, storedSession.getLoginPrincipal(), storedSession );
293            }
294        }
295    }
296
297}