1 package com.atlassian.refapp.auth.internal;
2
3 import com.atlassian.refapp.auth.external.WebSudoSessionManager;
4 import com.google.common.annotations.VisibleForTesting;
5
6 import javax.servlet.http.HttpServletRequest;
7 import javax.servlet.http.HttpSession;
8 import java.util.concurrent.TimeUnit;
9
10 public class DefaultWebSudoSessionManager implements WebSudoSessionManager {
11 private static final long DEFAULT_EXPIRY_MILLIS = TimeUnit.SECONDS.toMillis(10 * 60);
12 private static final String WEBSUDO_SESSION_KEY = DefaultWebSudoSessionManager.class.getName() + "-session";
13 @VisibleForTesting
14 protected static final String WEB_SUDO_CHECKING_DISABLED_PROPERTY = "atlassian.refapp.websudo.disabled";
15
16 public boolean isWebSudoSession(final HttpServletRequest request) {
17 if(Boolean.getBoolean(WEB_SUDO_CHECKING_DISABLED_PROPERTY)) {
18 return true;
19 }
20 final HttpSession session = request.getSession(false);
21 if (null == session) {
22 return false;
23 }
24 final Long timestamp = (Long) session.getAttribute(WEBSUDO_SESSION_KEY);
25 return null != timestamp && timestamp >= currentTimeMillis() - DEFAULT_EXPIRY_MILLIS;
26 }
27
28 public void createWebSudoSession(final HttpServletRequest request) {
29 final HttpSession session = request.getSession(true);
30 if (null == session) {
31 throw new SecurityException("Unable to create a WebSudo session.");
32 }
33 session.setAttribute(WEBSUDO_SESSION_KEY, currentTimeMillis());
34 }
35
36 public void removeWebSudoSession(final HttpServletRequest request) {
37 final HttpSession session = request.getSession(false);
38 if (null == session) {
39 return;
40 }
41 session.removeAttribute(WEBSUDO_SESSION_KEY);
42 }
43
44
45
46
47
48
49
50 long currentTimeMillis() {
51
52 return System.currentTimeMillis();
53 }
54 }