SEC-1619: Added check in GAE sample for change of Google user while still logged into the app.

Also updated GAE version and build script. Uploading to GAE now works when run from the gradle build file using the command 'gradle gaeDeploy'.
15 years ago · 37810a19c4
4 changed files with 32 additions and 7 deletions
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@ -30,7 +30,7 @@ dependencies {
				@@ -30,7 +30,7 @@ dependencies {

 // GAE
 dependencies {
-    compile 'com.google.appengine:appengine-tools-api:1.3.5'
+    compile 'com.google.appengine:appengine-tools-api:1.3.7'
 }

 task ide(type: Copy)  {
--- a/buildSrc/src/main/groovy/gae/GaePlugin.groovy
+++ b/buildSrc/src/main/groovy/gae/GaePlugin.groovy
@ -20,7 +20,7 @@ class GaePlugin implements Plugin<Project> {
				@@ -20,7 +20,7 @@ class GaePlugin implements Plugin<Project> {
        project.gaeDeploy.dependsOn project.war

        project.war.doLast {
-          ant.unzip(src: project.war.archivePath, dest: explodedWar)
+            ant.unzip(src: project.war.archivePath, dest: explodedWar)
        }
    }
 }
--- a/samples/gae/gae.gradle
+++ b/samples/gae/gae.gradle
@ -2,7 +2,7 @@ apply plugin: 'war'
				@@ -2,7 +2,7 @@ apply plugin: 'war'
 apply plugin: 'jetty'
 apply plugin: 'gae'

-gaeVersion="1.3.5"
+gaeVersion="1.3.7"

 repositories {
    // Hibernate Validator
@ -15,8 +15,7 @@ repositories {
				@@ -15,8 +15,7 @@ repositories {
 configurations.runtime.exclude(group: 'ch.qos.logback')

 dependencies {
-    providedCompile 'javax.servlet:servlet-api:2.5@jar',
-                    "com.google.appengine:appengine-api-1.0-sdk:$gaeVersion"
+    providedCompile 'javax.servlet:servlet-api:2.5@jar'

    compile project(':spring-security-core'),
            project(':spring-security-web'),
@ -25,11 +24,13 @@ dependencies {
				@@ -25,11 +24,13 @@ dependencies {
            "org.springframework:spring-webmvc:$springVersion",
            "org.springframework:spring-context:$springVersion",
            "org.springframework:spring-context-support:$springVersion",
+            "com.google.appengine:appengine-api-1.0-sdk:$gaeVersion",
            'javax.validation:validation-api:1.0.0.GA',
            'org.hibernate:hibernate-validator:4.1.0.Final',
            "org.slf4j:slf4j-api:$slf4jVersion"

    runtime project(':spring-security-config'),
+            project(':spring-security-taglibs'),
            "org.slf4j:jcl-over-slf4j:$slf4jVersion",
            "org.slf4j:slf4j-jdk14:$slf4jVersion"
    testCompile "com.google.appengine:appengine-testing:$gaeVersion"
--- a/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java
+++ b/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java
@ -24,6 +24,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
				@@ -24,6 +24,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
+import samples.gae.users.GaeUser;

 /**
 * @author Luke Taylor
@ -39,10 +40,15 @@ public class GaeAuthenticationFilter extends GenericFilterBean {
				@@ -39,10 +40,15 @@ public class GaeAuthenticationFilter extends GenericFilterBean {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        User googleUser = UserServiceFactory.getUserService().getCurrentUser();

-        if (authentication == null) {
-            User googleUser = UserServiceFactory.getUserService().getCurrentUser();
+        if (authentication != null && !loggedInUserMatchesGaeUser(authentication, googleUser)) {
+            SecurityContextHolder.clearContext();
+            authentication = null;
+            ((HttpServletRequest)request).getSession().invalidate();
+        }

+        if (authentication == null) {
            if (googleUser != null) {
                logger.debug("Currently logged on to GAE as user " + googleUser);
                logger.debug("Authenticating to Spring Security");
@ -72,6 +78,24 @@ public class GaeAuthenticationFilter extends GenericFilterBean {
				@@ -72,6 +78,24 @@ public class GaeAuthenticationFilter extends GenericFilterBean {
        chain.doFilter(request, response);
    }

+    private boolean loggedInUserMatchesGaeUser(Authentication authentication, User googleUser) {
+        assert authentication != null;
+
+        if (googleUser == null) {
+            // User has logged out of GAE but is still logged into application
+            return false;
+        }
+
+        GaeUser gaeUser = (GaeUser)authentication.getPrincipal();
+
+        if (!gaeUser.getEmail().equals(googleUser.getEmail())) {
+            return false;
+        }
+
+        return true;
+
+    }
+
    @Override
    public void afterPropertiesSet() throws ServletException {
        Assert.notNull(authenticationManager, "AuthenticationManager must be set");