Пример #1
0
        static void AuthorizeRequest(object sender, EventArgs e)
        {
            SessionInfo session=null;
            try
            {
                if (HttpContext.Current.User.Identity.IsAuthenticated && HttpContext.Current.User.Identity is FormsIdentity)
                {
                    // Note: If user signed out in another window, the ticket would have been 
                    // removed from the browser and this code shoudn't be executed.
                    
                    // resemble the SessionInfo from the ticket.
                    FormsIdentity loginId = (FormsIdentity) HttpContext.Current.User.Identity ;
                    FormsAuthenticationTicket ticket = loginId.Ticket;

                    String[] fields = ticket.UserData.Split('|');
                    String tokenId = fields[0];
                    String userDisplayName = fields[1];
                    SessionToken token = new SessionToken(tokenId, ticket.Expiration);
                    session = new SessionInfo(loginId.Name, userDisplayName, token);

                    // Initialize the session. This will throw exception if the session is no longer
                    // valid. For eg, time-out.
                    SessionManager.InitializeSession(session);
                }

                if (String.IsNullOrEmpty(Thread.CurrentThread.Name))
                {
                    String user = SessionManager.Current != null ? SessionManager.Current.User.Identity.Name : "Unknown";

                    Thread.CurrentThread.Name =
                        String.Format(SR.WebGUILogHeader, 
                            HttpContext.Current.Request.UserHostAddress,
                            HttpContext.Current.Request.Browser.Browser,
                            HttpContext.Current.Request.Browser.Version,
                            user);
                }
                
            }
            catch (SessionValidationException)
            {
                // SessionValidationException is thrown when the session id is invalid or the session already expired.
                // If session already expired, 
                if (session != null && session.Credentials.SessionToken.ExpiryTime < Platform.Time)
                {
                    SessionManager.SignOut(session);
                }
                else
                {
                    // redirect to login screen
                    SessionManager.TerminateSession("The current session is no longer valid.", SR.MessageCurrentSessionNoLongerValid);
                }
            }
            catch(Exception ex)
            {
                // log the exception
                ExceptionHandler.ThrowException(ex);
            }
            
           
        }
Пример #2
0
        /// <summary>
        /// Sets up the principal for the thread and save the authentiction ticket.
        /// </summary>
        /// <param name="session"></param>
        public static void InitializeSession(SessionInfo session)
        {
            // this should throw exception if the session is no longer valid. It also loads the authority tokens}
            if (!session.Valid)
            {
                throw new Exception("This session is no longer valid");
            }
            Current = session;

            string loginId = session.User.Identity.Name;
            var identity = session.User.Identity as CustomIdentity;
            
            if (identity == null)
            {
                Platform.CheckForNullReference(identity, "identity"); // throw exception
            }
            else
            {
                string displayName = identity.DisplayName;
                SessionToken token = session.Credentials.SessionToken;
                string[] authorities = session.Credentials.Authorities;                

                String data = String.Format("{0}|{1}|{2}|{3}", token.Id, displayName, 
                    StringUtilities.Combine(session.User.WarningMessages,"@"), session.User.WarningsDisplayed);

                // the expiry time is determined by the authentication service
                DateTime expiryTime = token.ExpiryTime; 
                
                var authTicket = new
                    FormsAuthenticationTicket(2,  // version
                                              loginId,         // user name
                                              Platform.Time,   // creation
                                              expiryTime,      // Expiration
                                              false,           // Persistent
                                              data);           // User data

                // Now encrypt the ticket.
                string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
                // Create a cookie with the encrypted data
                var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

                //Create an unencrypted cookie that contains the userid and the expiry time so the browser
                //can check for session timeout.

                //TODO: store the expiry time as epoch instead so we don't need to deal with format or regional settings madness
                var expiryCookie = new HttpCookie(GetExpiryTimeCookieName(session), DateTimeFormatter.Format(expiryTime.ToUniversalTime(), ImageServerConstants.CookieDateTimeFormat));
                
                HttpContext.Current.Response.Cookies.Add(authCookie);
                HttpContext.Current.Response.Cookies.Add(expiryCookie);
                
                SessionTimeout = expiryTime.ToUniversalTime() - Platform.Time.ToUniversalTime();
            }
        }
Пример #3
0
		/// <summary>
		/// Gets the redirect url for the current session
		/// </summary>
		/// <param name="session"></param>
		/// <returns></returns>
		public static String GetRedirectUrl(SessionInfo session)
		{
			Platform.CheckForNullReference(session, "session");

			var redirectUrl = FormsAuthentication.GetRedirectUrl(session.User.Identity.Name, false);
			if (VirtualPathUtility.IsAbsolute(redirectUrl) || VirtualPathUtility.IsAppRelative(redirectUrl))
			{
				return redirectUrl;
			}

			var tokenParam = "userId=" + session.User.Identity.Name + "&sessionId=" + session.Credentials.SessionToken.Id;
			var uri = new UriBuilder(redirectUrl);
			uri.Query = string.IsNullOrEmpty(uri.Query) ? tokenParam : uri.Query.Substring(1)+"&" + tokenParam;
			
			return uri.ToString();
		}
Пример #4
0
        private static void ForceOtherPagesToLogout(SessionInfo session)
        {
            //NOTE: SessionTimeout.ascx must be updated if this method  is modified.

			// Ideally we want to remove the expiry time cookie on the client.
			// However, this is not possible. We can only update the cookie.
			// By removing the expiry time value in the cookie, we are implicity 
			// other pages to redirect to the login page instead. (see SessionTimeout.ascx)
            HttpCookie expiryCookie = new HttpCookie(GetExpiryTimeCookieName(session))
            {
                Expires = Platform.Time.AddMinutes(5),
                Value = string.Empty
            };

            HttpContext.Current.Response.Cookies.Set(expiryCookie);
        }
Пример #5
0
        public static string GetExpiryTimeCookieName(SessionInfo session)
        {
            if (session == null)
                return null;

            string loginId = session.User.Identity.Name;
            return "ImageServer." + loginId;
        }
Пример #6
0
        public static void SignOut(SessionInfo session)
        {

            FormsAuthentication.SignOut();
            
            if (session != null)
            {
                try
                {
                    ForceOtherPagesToLogout(session);

                    using (LoginService service = new LoginService())
                    {
                        service.Logout(session.Credentials.SessionToken.Id);
                    }
                }
                catch (NotSupportedException)
                {
                    //ignore this.
                }
                catch (Exception e)
                {
                    Platform.Log(LogLevel.Warn, e, "Failed to log user out.");
                }

                UserAuthenticationAuditHelper audit = new UserAuthenticationAuditHelper(
                    ServerPlatform.AuditSource,
                    EventIdentificationContentsEventOutcomeIndicator.Success,
                    UserAuthenticationEventType.Logout);
                audit.AddUserParticipant(new AuditPersonActiveParticipant(
                                             session.Credentials.UserName,
                                             null,
                                             session.Credentials.DisplayName));
                ServerPlatform.LogAuditMessage(audit);
            }
            

        
        }
Пример #7
0
        public static void SignOut(SessionInfo session)
        {

            FormsAuthentication.SignOut();
            
            if (session != null)
            {
                try
                {
                    ForceOtherPagesToLogout(session);

                    using (LoginService service = new LoginService())
                    {
                        service.Logout(session.Credentials.SessionToken.Id);
                    }
                }
                catch (NotSupportedException)
                {
                    //ignore this.
                }
                catch (Exception e)
                {
                    Platform.Log(LogLevel.Warn, e, "Failed to log user out.");
                }
            }
        }
Пример #8
0
        public SessionInfo Login(string userName, string password, string appName)
        {
            if (string.IsNullOrEmpty(userName))
                throw new ArgumentException(SR.UserIDIsEmpty);

            if (string.IsNullOrEmpty(password))
                throw new ArgumentException(SR.PasswordIsEmpty);

            Platform.CheckForEmptyString(password, "password");
            Platform.CheckForEmptyString(appName, "appName");

            SessionInfo session = null;
            
            Platform.GetService(
                delegate(IAuthenticationService  service)
                    {
                        try
                        {
                            var request = new InitiateSessionRequest(userName, appName,
                                                                     Dns.GetHostName(), password)
                                              {
                                                  GetAuthorizations = true
                                              };

                            InitiateSessionResponse response = service.InitiateSession(request);
                            if (response != null)
                            {
                                var credentials = new LoginCredentials
                                                      {
                                                          UserName = userName,
                                                          DisplayName = response.DisplayName,
                                                          SessionToken = response.SessionToken,
                                                          Authorities = response.AuthorityTokens,
                                                          DataAccessAuthorityGroups = response.DataGroupOids,
                                                          EmailAddress = response.EmailAddress
                                                      };
                                var user = new CustomPrincipal(new CustomIdentity(userName, response.DisplayName),credentials);
                                Thread.CurrentPrincipal = user;

                                session = new SessionInfo(user);
                                session.User.WarningMessages = response.WarningMessages;

                                // Note: need to insert into the cache before calling SessionInfo.Validate()
                                SessionCache.Instance.AddSession(response.SessionToken.Id, session);
                                session.Validate();
                                
                                Platform.Log(LogLevel.Info, "{0} has successfully logged in.", userName);                                
                            }                            
                        }
                        catch (FaultException<PasswordExpiredException> ex)
                        {
                            throw ex.Detail;
                        }
                        catch(FaultException<UserAccessDeniedException> ex)
                        {
                            throw ex.Detail;
                        }
                        catch (FaultException<RequestValidationException> ex)
                        {
                            throw ex.Detail;
                        }
                    }
                );

            return session;
        }
Пример #9
0
 private void CleanupSession(SessionInfo session)
 {
     lock (_sync)
     {
         using (var service = new LoginService())
         {
             try
             {
                 try
                 {
                     service.Logout(session.Credentials.SessionToken.Id);
                 }
                 catch(Exception ex)
                 {
                     Platform.Log(LogLevel.Warn, ex, "Unable to terminate session {0} gracefully",
                                  session.Credentials.SessionToken.Id);
                 }
             }
             finally
             {
                 RemoveSession(session.Credentials.SessionToken.Id);
             }
         }
     }
 }
Пример #10
0
        private void OnSessionRemoved(SessionInfo session)
        {

        }
Пример #11
0
        public void AddSession(string id, SessionInfo session)
        {
            lock (_sync)
            {
                _cacheSessionInfo.Add(id, session);
            }

        }
        static void AuthorizeRequest(object sender, EventArgs e)
        {
            SessionInfo session=null;
            try
            {
                if (HttpContext.Current.User.Identity.IsAuthenticated && HttpContext.Current.User.Identity is FormsIdentity)
                {
                    // Note: If user signed out in another window, the ticket would have been 
                    // removed from the browser and this code shoudn't be executed.
                    
                    // resemble the SessionInfo from the ticket.
                    var loginId = (FormsIdentity) HttpContext.Current.User.Identity ;
                    FormsAuthenticationTicket ticket = loginId.Ticket;

                    String[] fields = ticket.UserData.Split('|');
                    String tokenId = fields[0];
                    String userDisplayName = fields[1];
                    SessionToken token = new SessionToken(tokenId, ticket.Expiration);
                    session = new SessionInfo(loginId.Name, userDisplayName, token);
                     
                    if (ticket.Version > 1)
                    {
                        if (!string.IsNullOrEmpty(fields[2]))
                        {
                            var warningMessages = fields[2].Split('@');
                            session.User.WarningMessages = warningMessages.Length > 0 
                                ? new List<string>(warningMessages) : new List<string>();
                        }

                        if (!string.IsNullOrEmpty(fields[3]))
                        {
                            session.User.WarningsDisplayed = bool.Parse(fields[3]);
                        }
                    }

                    // Initialize the session. This will throw exception if the session is no longer
                    // valid. For eg, time-out.
                    SessionManager.InitializeSession(session);
                }

            	// TODO (CR Jan 2014): This is a worker thread, and thread names can only be 
				// set once. This will forever give false information after the first use.
                if (String.IsNullOrEmpty(Thread.CurrentThread.Name))
                {
                    String user = SessionManager.Current != null ? SessionManager.Current.User.Identity.Name : "Unknown";

                    Thread.CurrentThread.Name =
                        String.Format(SR.WebGUILogHeader, 
                            HttpContext.Current.Request.UserHostAddress,
                            HttpContext.Current.Request.Browser.Browser,
                            HttpContext.Current.Request.Browser.Version,
                            user);
                }
                
            }
            catch (SessionValidationException)
            {
                // SessionValidationException is thrown when the session id is invalid or the session already expired.
                // If session already expired, 
                if (session != null && session.Credentials.SessionToken.ExpiryTime < Platform.Time)
                {
                    SessionManager.SignOut(session);
                }
                else
                {
                    // redirect to login screen
                    SessionManager.TerminateSession("The current session is no longer valid.", SR.MessageCurrentSessionNoLongerValid);
                }
            }
            catch(Exception ex)
            {
                // log the exception
                ExceptionHandler.ThrowException(ex);
            }
            
           
        }
Пример #13
0
        public SessionInfo VerifySession(string userId, string sessionTokenId)
        {
            SessionInfo sessionInfo = SessionCache.Instance.Find(sessionTokenId);
            if (sessionInfo != null) return sessionInfo;

            // Session does not exist in the cache.
            // Go to the server to see if the session exists
            // It may 
            var request = new ValidateSessionRequest(userId, new SessionToken(sessionTokenId))
            {
                GetAuthorizations = true,
                ValidateOnly = false // load the tokens too since we don't know anything about session yet
            };

            try
            {
                using (new ResponseCacheBypassScope()) //bypass the response cache
                {
                    Platform.GetService(
                    delegate(IAuthenticationService service)
                    {

                        ValidateSessionResponse response = service.ValidateSession(request);
                        sessionInfo = new SessionInfo(userId, userId, response.SessionToken);

                        SessionCache.Instance.AddSession(sessionTokenId, sessionInfo);
                        sessionInfo.Validate();

                    });

                }
                
                return sessionInfo;
            }
            catch (FaultException<InvalidUserSessionException> ex)
            {
                SessionCache.Instance.RemoveSession(sessionTokenId);
                throw new SessionValidationException(ex.Detail);
            }
            catch (FaultException<UserAccessDeniedException> ex)
            {
                SessionCache.Instance.RemoveSession(sessionTokenId);
                throw new SessionValidationException(ex.Detail);
            }
            catch (Exception ex)
            {
                //TODO: for now we can't distinguish communicate errors and credential validation errors.
                // All exceptions are treated the same: we can't verify the session.
                var e = new SessionValidationException(ex);
                throw e;
            }         
        }