Add Session Management feature #2288

pamodaaw · 2019-07-15T11:11:02Z

Description

This PR contains the session management functionality.
New functions were added to

view all the active sessions of a given user id
delete all the active sessions of a given user id
delete a session of given session id

Approach

Two tables to store the user's application information.

IDN_AUTH_APP_SESSION_STORE
IDN_AUTH_SESSION_META_DATA

CREATE TABLE IF NOT EXISTS IDN_AUTH_APP_SESSION_STORE (
            SESSION_ID VARCHAR (100) NOT NULL,
            SUBJECT VARCHAR (100) NOT NULL,
            APP_ID VARCHAR (10) NOT NULL,
            APP_TENANT_ID VARCHAR(10) NOT NULL,
            INBOUND_AUTH_TYPE VARCHAR (255) NOT NULL,
            PRIMARY KEY (SESSION_ID, SUBJECT, APP_ID, APP_TENANT_ID, INBOUND_AUTH_TYPE) );

 CREATE TABLE IF NOT EXISTS IDN_AUTH_SESSION_META_DATA (
            SESSION_ID VARCHAR (100) NOT NULL,
            PROPERTY_TYPE VARCHAR (100) NOT NULL,
            VALUE VARCHAR (255) NOT NULL,
            PRIMARY KEY (SESSION_ID, PROPERTY_TYPE, VALUE));

These tables get populated during the authentication flow.

Related Issues

#1832
wso2/product-is#5769

Checklist (for reviewing)

General

Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
Is the PR labeled correctly?

Functionality

Are all requirements met? Compare implemented functionality with the requirements specification.
Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
Are all UI and API inputs run through forms or serializers?
Are all external inputs validated and sanitized appropriately?
Does all branching logic have a default case?
Does this solution handle outliers and edge cases gracefully?
Are all external communications secured and restricted to SSL?

Documentation

Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

Session termination service

…ework into session-mgt-feature-updated

...ation/authentication/framework/handler/request/impl/DefaultAuthenticationRequestHandler.java

ruwanta

Few changes

.../main/java/org/wso2/carbon/identity/application/authentication/framework/util/JdbcUtils.java

...ication/authentication/framework/exception/session/mgt/SessionManagementClientException.java

.../wso2/carbon/identity/application/authentication/framework/UserSessionManagementService.java

...n/java/org/wso2/carbon/identity/application/authentication/framework/dao/UserSessionDAO.java

janakamarasena · 2019-07-15T12:22:11Z

...g/wso2/carbon/identity/application/authentication/framework/dao/impl/UserSessionDAOImpl.java

+import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException;
+import org.wso2.carbon.identity.application.authentication.framework.dao.UserSessionDAO;
+import org.wso2.carbon.identity.application.authentication.framework.exception.session.mgt
+        .SessionManagementServerException;


I think a single line would have better readability.

Then it will exceed the max length of that line. Is it okay break that rule for readability?

...g/wso2/carbon/identity/application/authentication/framework/dao/impl/UserSessionDAOImpl.java

...y/application/authentication/framework/exception/session/mgt/SessionManagementException.java

…daaw/carbon-identity-framework into session-mgt-feature-updated

...va/org/wso2/carbon/identity/application/authentication/framework/store/UserSessionStore.java

ashensw · 2019-07-17T08:16:38Z

...ation/authentication/framework/handler/request/impl/DefaultAuthenticationRequestHandler.java

@@ -543,6 +568,35 @@ private void storeSessionData(AuthenticationContext context, String sessionConte
                        "user store domain: " + userStoreDomain + " in tenant domain: " + tenantDomain , e);
            }
        }
+
+        try {
+            if (appId != -1 && !UserSessionStore.getInstance().isExistingAppSession(sessionContextKey, subject,


Better to move this -1 to a constant with a descriptive name.

...g/wso2/carbon/identity/application/authentication/framework/dao/impl/UserSessionDAOImpl.java

…ework into session-mgt-feature-updated

IsuraD · 2019-07-23T05:17:31Z

...g/wso2/carbon/identity/application/authentication/framework/dao/impl/UserSessionDAOImpl.java

+                    case SessionMgtConstants.LOGIN_TIME:
+                        userSession.setLoginTime(value);
+                    default:
+                        break;


why do we need to break by default?

Removed the default break

...ication/authentication/framework/exception/session/mgt/SessionManagementClientException.java

IsuraD · 2019-07-23T05:18:39Z

...y/application/authentication/framework/exception/session/mgt/SessionManagementException.java

+        this.description = description;
+    }
+
+    // The constructor is made private to avoid generating exceptions without error code and description.


use /** for the method level comments. Also the constructor is not private.

...y/application/authentication/framework/exception/session/mgt/SessionManagementException.java

IsuraD · 2019-07-23T06:51:55Z

...ication/authentication/framework/exception/session/mgt/SessionManagementServerException.java

+        super(error, description, cause);
+    }
+
+    // The constructor is made private to avoid generating exceptions without error code and description.


use /** for the method level comments.

IsuraD · 2019-07-23T13:47:17Z

...g/wso2/carbon/identity/application/authentication/framework/store/SessionCleanUpService.java

@@ -20,6 +20,8 @@

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;


unused imports

pamodaaw · 2019-07-26T08:24:15Z

For this feature to execute, we need to add the following configuration in identity.xml under SessionDataPersist tag

<UserSessionMapping>
     <Enable>true</Enable>
</UserSessionMapping>

Abilashini and others added 18 commits December 3, 2018 20:53

Session termination during user password reset and user delete

8c29d4e

Merge remote-tracking branch 'origin/master' into pr-2000

3a2c7f5

Refactor session termination service.

41ec2af

Merge pull request wso2#2020 from malithie/pr-2000

8a4be93

Session termination service

Storing session related information

e252e04

Storing session related information

6dfa4bd

Storing session related information

131b488

Storing session related information

8f531be

Refactor

1d9b8ec

Refactor

d66279f

Merge branch 'master' of https://github.com/wso2/carbon-identity-fram…

4282ee9

…ework into session-mgt-feature-updated

Add user session management implementation

359f265

Merge branch 'master' of https://github.com/wso2/carbon-identity-fram…

3065647

…ework into session-mgt-feature-updated

Add session termination functions

5673737

Merge branch 'master' of https://github.com/wso2/carbon-identity-fram…

806c4fe

…ework into session-mgt-feature-updated

Remove session information when terminated

fe191b8

Merge branch 'master' of https://github.com/wso2/carbon-identity-fram…

5578233

…ework into session-mgt-feature-updated

Refactor code of session Mgt

9e0a64f

ruwanta reviewed Jul 15, 2019

View reviewed changes

...ation/authentication/framework/handler/request/impl/DefaultAuthenticationRequestHandler.java Outdated Show resolved Hide resolved

ruwanta reviewed Jul 15, 2019

View reviewed changes

...ation/authentication/framework/handler/request/impl/DefaultAuthenticationRequestHandler.java Outdated Show resolved Hide resolved

ruwanta suggested changes Jul 15, 2019

View reviewed changes

sachiniWettasinghe reviewed Jul 15, 2019

View reviewed changes

.../main/java/org/wso2/carbon/identity/application/authentication/framework/util/JdbcUtils.java Outdated Show resolved Hide resolved

sachiniWettasinghe reviewed Jul 15, 2019

View reviewed changes

.../main/java/org/wso2/carbon/identity/application/authentication/framework/util/JdbcUtils.java Outdated Show resolved Hide resolved

sachiniWettasinghe reviewed Jul 15, 2019

View reviewed changes

...ication/authentication/framework/exception/session/mgt/SessionManagementClientException.java Outdated Show resolved Hide resolved