JWT, Cookie & Filtros

backoffice/src/main/java/uy/edu/fing/tse/jsf/UserLoginBean.java

 package uy.edu.fing.tse.jsf;
 
+import org.primefaces.PrimeFaces;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import uy.edu.fing.tse.central.business.BusinessLocal;
 import uy.edu.fing.tse.central.business.security.SecurityLocal;
 import uy.edu.fing.tse.dto.Role;
 import uy.edu.fing.tse.dto.UserBO;
-import uy.edu.fing.tse.jsf.session.SessionBean;
 
 import javax.annotation.PostConstruct;
 import javax.ejb.EJB;
 import javax.enterprise.context.RequestScoped;
 import javax.faces.application.FacesMessage;
 import javax.faces.context.FacesContext;
-import javax.inject.Inject;
 import javax.inject.Named;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.Size;
@@ -37,9 +36,6 @@ public class UserLoginBean implements Serializable {
     @EJB
     private BusinessLocal negocio;
 
-    @Inject
-    private SessionBean session;
-
     private List<Role> roles;
 
     @PostConstruct
@@ -73,14 +69,13 @@ public class UserLoginBean implements Serializable {
         this.repassword = repassword;
     }
 
-    public String login() {
+    public void login() {
         String token = securityLocal.login(user);
 
         if (token != null) {
             addCookieToken(token);
-            session.setToken(token);
-            session.setUser(user);
-            return "jsf/gestionhechos";
+            PrimeFaces.current().executeScript("window.location.href='jsf/gestionhechos.xhtml'");
+            //return "jsf/gestionhechos";
         } else {
             FacesContext.getCurrentInstance().addMessage(
                     null,
@@ -88,10 +83,15 @@ public class UserLoginBean implements Serializable {
                             "Ingreso Incorrecto",
                             "Por favor verificar los datos ingresados"));
         }
-        return "";
     }
 
-    public String register() {
+    public void logout() {
+        removeCookieToken();
+        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
+        PrimeFaces.current().executeScript("window.location.href='jsf/index.xhtml'");
+    }
+
+    public void register() {
         boolean valid = true;
 
         // verificar que sean iguales la pasw, en caso contrario
@@ -100,14 +100,13 @@ public class UserLoginBean implements Serializable {
         //TODO
         if (valid) {
             final var s = securityLocal.register(user);
-            return "jsf/gestionhechos";
+            PrimeFaces.current().executeScript("window.location.href='jsf/gestionhechos.xhtml'");
         } else {
             FacesContext.getCurrentInstance().addMessage(
                     null,
                     new FacesMessage(FacesMessage.SEVERITY_WARN,
                             " Usuario o Password diferentes",
                             "Por favor verificar los datos ingresados"));
-            return "";
         }
     }
 
@@ -119,4 +118,11 @@ public class UserLoginBean implements Serializable {
                 .addResponseCookie("token", URLEncoder.encode(token, StandardCharsets.UTF_8), properties);
     }
 
+    private void removeCookieToken() {
+        final Map<String, Object> properties = new HashMap<>();
+        properties.put("maxAge", 0);
+        properties.put("path", "/");
+        FacesContext.getCurrentInstance().getExternalContext()
+                .addResponseCookie("token", "", properties);
+    }
 }

backoffice/src/main/java/uy/edu/fing/tse/jsf/security/JwtFilter.java

@@ -22,13 +22,7 @@ public class JwtFilter implements javax.servlet.Filter {
         final HttpServletRequest request = (HttpServletRequest) req;
         final HttpServletResponse response = (HttpServletResponse) res;
 
-        Cookie cookieToken = null;
-        for (Cookie cookie : request.getCookies()) {
-            if ("token".equals(cookie.getName())) {
-                cookieToken = cookie;
-                break;
-            }
-        }
+        Cookie cookieToken = findTokenCookie(request);
 
         if (cookieToken == null || cookieToken.getValue() == null) {
             response.setStatus(401);
@@ -41,6 +35,10 @@ public class JwtFilter implements javax.servlet.Filter {
         try {
             final Claims claims = Jwts.parser().setSigningKey("1q2w3e4r5t6y7u8i9o0p").parseClaimsJws(token).getBody();
             request.setAttribute("claims", claims);
+            final var session = request.getSession();
+            session.setAttribute("token", token);
+            session.setAttribute("role", claims.get("role"));
+            session.setAttribute("user", claims.getSubject());
         } catch (final Exception e) {
             response.setStatus(401);
             response.sendRedirect(request.getContextPath() + "/login.xhtml");
@@ -50,6 +48,20 @@ public class JwtFilter implements javax.servlet.Filter {
         chain.doFilter(req, res);
     }
 
+    static Cookie findTokenCookie(final HttpServletRequest request) {
+        Cookie cookieToken = null;
+        final var cookies = request.getCookies();
+        if (cookies != null) {
+            for (Cookie cookie : cookies) {
+                if ("token".equals(cookie.getName())) {
+                    cookieToken = cookie;
+                    break;
+                }
+            }
+        }
+        return cookieToken;
+    }
+
     @Override
     public void destroy() {
     }

backoffice/src/main/java/uy/edu/fing/tse/jsf/security/LoginFilter.java

+package uy.edu.fing.tse.jsf.security;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static uy.edu.fing.tse.jsf.security.JwtFilter.findTokenCookie;
+
+@WebFilter("/login.xhtml")
+public class LoginFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
+        final HttpServletRequest request = (HttpServletRequest) req;
+        final HttpServletResponse response = (HttpServletResponse) res;
+
+        Cookie cookieToken = findTokenCookie(request);
+
+        if (cookieToken == null || cookieToken.getValue() == null) {
+            chain.doFilter(req, res);
+            return;
+        }
+
+        final var token = cookieToken.getValue();
+
+        try {
+            final Claims claims = Jwts.parser().setSigningKey("1q2w3e4r5t6y7u8i9o0p").parseClaimsJws(token).getBody();
+            response.sendRedirect(request.getContextPath() + "/jsf/gestionhechos.xhtml");
+        } catch (final Exception e) {
+            chain.doFilter(req, res);
+            return;
+        }
+
+        chain.doFilter(req, res);
+    }
+
+    @Override
+    public void destroy() {
+    }
+}

backoffice/src/main/java/uy/edu/fing/tse/jsf/session/SessionBean.java

-package uy.edu.fing.tse.jsf.session;
-
-import uy.edu.fing.tse.dto.UserBO;
-
-import javax.enterprise.context.SessionScoped;
-import javax.inject.Named;
-import java.io.Serializable;
-
-@SessionScoped
-@Named("sessionBean")
-public class SessionBean implements Serializable {
-
-    private static final long serialVersionUID = 9062153372176877309L;
-
-    private String token = null;
-
-    private UserBO user = null;
-
-    public String getToken() {
-        return token;
-    }
-
-    public void setToken(String token) {
-        this.token = token;
-    }
-
-    public UserBO getUser() {
-        return user;
-    }
-
-    public void setUser(UserBO user) {
-        this.user = user;
-    }
-
-    public String makeToken() {
-        if (token == null) {
-            return null;
-        }
-        return "Bearer " + token;
-    }
-
-    public void invalidate() {
-        token = null;
-        user = null;
-    }
-}

backoffice/src/main/webapp/WEB-INF/templates/template.xhtml

@@ -34,9 +34,10 @@
     <title>BackOffice - feiknius</title>
 </h:head>
 <h:body>
-
     <header>
         <h1>BackOffice - feiknius</h1>
+        <p:commandButton value="Salir" action="#{userLoginView.logout()}"
+                         rendered="#{session.getAttribute('user')!=null}"/>
     </header>
     <!-- Menús, headers y todo lo que vaya antes del contenido -->
     <p:messages/>

backoffice/src/main/webapp/jsf/gestionhechos.xhtml

@@ -12,7 +12,7 @@
         <h:form>
             <p:outputPanel style="font-size: 30px;text-align: center">
                 <h:outputText value="Bienvenido "/>
-                <h:outputText value="#{sessionBean.user.mail}"/>
+                <h:outputText value="#{session.getAttribute('user')}"/>
             </p:outputPanel>
 
             <p:dataTable var="hecho" id="dataHecho" value="#{gestionHechos.facts}" widgetVar="NoticiasTable"

backoffice/src/main/webapp/login.xhtml

@@ -31,7 +31,6 @@
                                      value="Login" action="#{userLoginView.login()}"
                                      update="form"/>
                 </f:facet>
-                <h:inputHidden id="token" value="#{sessionBean.token}"/>
             </h:panelGrid>
         </h:form>
     </ui:define>

central-dto/src/main/java/uy/edu/fing/tse/dto/Fact.java

@@ -44,10 +44,6 @@ public final class Fact implements Serializable {
         return actualState;
     }
 
-    public State getActualState2() {
-        return actualState;
-    }
-
     public void setActualState(State actualState) {
         this.actualState = actualState;
     }

central-ejb/src/main/java/uy/edu/fing/tse/central/business/security/SecurityBean.java

@@ -58,7 +58,7 @@ public class SecurityBean implements SecurityLocal, SecurityRemote {
         return null;
     }
 
-    private String createJWT(String role, String user) {
+    private String createJWT(String user, String role) {
         // prepare expiration date according to application properties
         Date expDate = new Date();
         Calendar calendar = Calendar.getInstance();