Skip to content

Commit

Permalink
KNL-1590 - Add session.parameter.allow.bypass (sakaiproject#5431)
Browse files Browse the repository at this point in the history
* KNL-1590 - Add session.parameter.allow.bypass

Make ContentItem work without requiring session.parameter.allow
by adding a finer grain regex based on the URI.

session.parameter.allow.bypass=sakai.basiclti.admin.helper.helper

* KNL-1590 - Add try / catch

Good suggestion from Matt - insures Sakai startup
  • Loading branch information
csev authored May 17, 2018
1 parent 0b2c49e commit 63b4764
Showing 1 changed file with 31 additions and 3 deletions.
34 changes: 31 additions & 3 deletions kernel/api/src/main/java/org/sakaiproject/util/RequestFilter.java
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.util.*;
import java.util.regex.Pattern;
import java.util.regex.Matcher;

import javax.servlet.*;
import javax.servlet.http.*;
Expand Down Expand Up @@ -184,6 +186,11 @@ public class RequestFilter implements Filter

/** The name of the Sakai property to allow passing a session id in the ATTR_SESSION request parameter */
protected static final String SAKAI_SESSION_PARAM_ALLOW = "session.parameter.allow";

/** The name of the Sakai property of a URL regular expression that always allows ATTR_SESSION request parameter */
protected static final String SAKAI_SESSION_PARAM_ALLOW_BYPASS = "session.parameter.allow.bypass";
protected static final String SAKAI_SESSION_PARAM_ALLOW_BYPASS_DEFAULT =
"sakai\\.basiclti\\.admin\\.helper\\.helper";

/** The tools allowed as lti provider **/
protected static final String SAKAI_BLTI_PROVIDER_TOOLS = "basiclti.provider.allowedtools";
Expand Down Expand Up @@ -234,7 +241,8 @@ public class RequestFilter implements Filter

/** Allow setting the cookie in a request parameter */
protected boolean m_sessionParamAllow = false;

protected Pattern m_sessionParamRegex = null;

/** The name of the cookie we use to keep sakai session. */
protected String cookieName = "JSESSIONID";

Expand Down Expand Up @@ -813,7 +821,20 @@ else if ("tool".equalsIgnoreCase(s))
cookieDomain = System.getProperty(SAKAI_COOKIE_DOMAIN);
}

// session id provided in a request parameter?
m_sessionParamAllow = serverConfigurationService.getBoolean(SAKAI_SESSION_PARAM_ALLOW, false);
String allowBypassSession = serverConfigurationService.getString(SAKAI_SESSION_PARAM_ALLOW_BYPASS,
SAKAI_SESSION_PARAM_ALLOW_BYPASS_DEFAULT);
if ( ! "none".equals(allowBypassSession) ) {
try {
m_sessionParamRegex = Pattern.compile(allowBypassSession);
}
catch( Exception e )
{
log.warn("Unable to compile " + SAKAI_SESSION_PARAM_ALLOW + "=" + allowBypassSession);
m_sessionParamRegex = null;
}
}

// retrieve option to enable or disable cookie HttpOnly
m_cookieHttpOnly = serverConfigurationService.getBoolean(SAKAI_COOKIE_HTTP_ONLY, true);
Expand Down Expand Up @@ -1062,7 +1083,14 @@ protected Session assureSession(HttpServletRequest req, HttpServletResponse res)
boolean auto = req.getParameter(PARAM_AUTO) != null;

// session id provided in a request parameter?
boolean reqsession = m_sessionParamAllow && req.getParameter(ATTR_SESSION) != null;
boolean matched = false;
if ( m_sessionParamRegex != null ) {
String uri = req.getRequestURI();
Matcher m = m_sessionParamRegex.matcher(uri.toLowerCase());
matched = m.find();
}

boolean reqsession = (matched || m_sessionParamAllow) && req.getParameter(ATTR_SESSION) != null;

String suffix = getCookieSuffix();

Expand Down Expand Up @@ -1097,7 +1125,7 @@ protected Session assureSession(HttpServletRequest req, HttpServletResponse res)
// if no principal, check request parameter and cookie
if (sessionId == null || s == null)
{
if (m_sessionParamAllow) {
if (matched || m_sessionParamAllow) {
sessionId = req.getParameter(ATTR_SESSION);
}

Expand Down

0 comments on commit 63b4764

Please sign in to comment.