http://www.jboss.org/undertow-parent/undertow-servlet: Undertow (JBoss by Red Hat) 
/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package io.undertow.servlet.handlers.security;

import io.undertow.security.api.AuthenticatedSessionManager;
import io.undertow.security.api.AuthenticatedSessionManager.AuthenticatedSession;
import io.undertow.security.api.NotificationReceiver;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.api.SecurityNotification;
import io.undertow.security.api.SecurityNotification.EventType;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.session.Session;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpSessionImpl;
import io.undertow.servlet.spec.ServletContextImpl;
import io.undertow.servlet.util.SavedRequest;

import java.security.AccessController;

import javax.servlet.http.HttpSession;


HttpHandler responsible for setting up the AuthenticatedSessionManager for cached authentications and registering a NotificationReceiver to receive the security notifications. This handler also forces the session to change its session ID on sucessful authentication. 
Author:Darran Lofthouse
/**
 * {@link HttpHandler} responsible for setting up the {@link AuthenticatedSessionManager} for cached authentications and
 * registering a {@link NotificationReceiver} to receive the security notifications.
 *
 * This handler also forces the session to change its session ID on sucessful authentication.
 *
 * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
 */
public class CachedAuthenticatedSessionHandler implements HttpHandler {

    public static final String ATTRIBUTE_NAME = CachedAuthenticatedSessionHandler.class.getName() + ".AuthenticatedSession";

    public static final String NO_ID_CHANGE_REQUIRED = CachedAuthenticatedSessionHandler.class.getName() + ".NoIdChangeRequired";

    private final NotificationReceiver NOTIFICATION_RECEIVER = new SecurityNotificationReceiver();
    private final AuthenticatedSessionManager SESSION_MANAGER = new ServletAuthenticatedSessionManager();

    private final HttpHandler next;
    private final ServletContextImpl servletContext;

    public CachedAuthenticatedSessionHandler(final HttpHandler next, final ServletContextImpl servletContext) {
        this.next = next;
        this.servletContext = servletContext;
    }


    @Override
    public void handleRequest(HttpServerExchange exchange) throws Exception {
        SecurityContext securityContext = exchange.getSecurityContext();
        securityContext.registerNotificationReceiver(NOTIFICATION_RECEIVER);

        HttpSession session = servletContext.getSession(exchange, false);
        // If there was no existing HttpSession then there could not be a cached AuthenticatedSession so don't bother setting
        // the AuthenticatedSessionManager.
        if (session != null) {
            exchange.putAttachment(AuthenticatedSessionManager.ATTACHMENT_KEY, SESSION_MANAGER);
            SavedRequest.tryRestoreRequest(exchange, session); //not sure if this is where it belongs
        }

        next.handleRequest(exchange);
    }

    private class SecurityNotificationReceiver implements NotificationReceiver {

        @Override
        public void handleNotification(SecurityNotification notification) {
            EventType eventType = notification.getEventType();
            HttpSessionImpl httpSession = servletContext.getSession(notification.getExchange(), false);
            switch (eventType) {
                case AUTHENTICATED:
                    if (isCacheable(notification)) {
                        if(servletContext.getDeployment().getDeploymentInfo().isChangeSessionIdOnLogin()) {
                            if (httpSession != null) {
                                Session session = underlyingSession(httpSession);
                                if (!httpSession.isNew() &&
                                        !httpSession.isInvalid() &&
                                        session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
                                    ServletRequestContext src = notification.getExchange().getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                                    src.getOriginalRequest().changeSessionId();
                                }
                                if(session.getAttribute(NO_ID_CHANGE_REQUIRED) == null) {
                                    session.setAttribute(NO_ID_CHANGE_REQUIRED, true);
                                }
                            }
                        }
                        if(httpSession == null) {
                            httpSession = servletContext.getSession(notification.getExchange(), true);
                        }
                        Session session = underlyingSession(httpSession);

                        // It is normal for this notification to be received when using a previously cached session - in that
                        // case the IDM would have been given an opportunity to re-load the Account so updating here ready for
                        // the next request is desired.
                        session.setAttribute(ATTRIBUTE_NAME,
                                new AuthenticatedSession(notification.getAccount(), notification.getMechanism()));
                    }
                    break;
                case LOGGED_OUT:
                    if (httpSession != null) {
                        Session session = underlyingSession(httpSession);
                        session.removeAttribute(ATTRIBUTE_NAME);
                        session.removeAttribute(NO_ID_CHANGE_REQUIRED);
                    }
                    break;
            }
        }

    }

    protected Session underlyingSession(HttpSessionImpl httpSession) {
        Session session;
        if (System.getSecurityManager() == null) {
            session = httpSession.getSession();
        } else {
            session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
        }
        return session;
    }

    private class ServletAuthenticatedSessionManager implements AuthenticatedSessionManager {

        @Override
        public AuthenticatedSession lookupSession(HttpServerExchange exchange) {
            HttpSessionImpl httpSession = servletContext.getSession(exchange, false);
            if (httpSession != null) {
                Session session = underlyingSession(httpSession);
                return (AuthenticatedSession) session.getAttribute(ATTRIBUTE_NAME);
            }
            return null;
        }

        @Override
        public void clearSession(HttpServerExchange exchange) {
            HttpSessionImpl httpSession = servletContext.getSession(exchange, false);
            if (httpSession != null) {
                Session session = underlyingSession(httpSession);
                session.removeAttribute(ATTRIBUTE_NAME);
            }
        }

    }

    private boolean isCacheable(final SecurityNotification notification) {
        return notification.isProgramatic() || notification.isCachingRequired();
    }

}