feat(jans-config-api): updating Admin UI Session Expiry to Enforce Idle-Based Logout (#13172)

* feat: updating Admin UI Session Expiry to Enforce Idle-Based Logout

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

* feat: addressing code-rabbit comments

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

* feat: addressing code-rabbit comments

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

---------

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>
Co-authored-by: YuriyZ <yzabrovarniy@gmail.com>

Author: duttarnab

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/filters/AdminUICookieFilter.java

@@ -77,9 +77,9 @@ public class AdminUICookieFilter implements ContainerRequestFilter {
     @Override
     public void filter(ContainerRequestContext requestContext) {
         try {
-            log.debug("========================================================================");
+            log.trace("========================================================================");
             log.debug("Inside AdminUICookieFilter filter...");
-            log.debug("========================================================================");
+            log.trace("========================================================================");
             Map<String, Cookie> cookies = requestContext.getCookies();
             initializeCaches();
             removeExpiredSessionsIfNeeded();
@@ -235,13 +235,14 @@ private Optional<String> fetchUJWTFromAdminUISession(Map<String, Cookie> cookies
         log.debug("Found a Admin UI session cookie in request header.");
         Cookie adminUISessionCookie = cookies.get(ADMIN_UI_SESSION_ID);
         String sessionId = adminUISessionCookie.getValue();
-        AdminUISession configApiSession = configApiSessionService.getSession(sessionId);
+        AdminUISession adminUISession = configApiSessionService.getSession(sessionId);
         //if config api session does not exist
-        if (configApiSession == null) {
+        if (adminUISession == null) {
             return Optional.empty();
         }
         log.debug("Admin UI session exist in persistence.");
-        String ujwtString = configApiSession.getUjwt();
+        configApiSessionService.updateSessionExpiryDate(adminUISession);
+        String ujwtString = adminUISession.getUjwt();
         return Optional.ofNullable(ujwtString);
     }
 

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/service/adminui/AdminUISessionService.java

@@ -10,6 +10,7 @@
 import io.jans.as.model.config.adminui.AdminConf;
 import io.jans.as.model.jwt.Jwt;
 import io.jans.as.model.jwt.JwtClaims;
+import io.jans.ca.plugin.adminui.service.config.AUIConfigurationService;
 import io.jans.ca.plugin.adminui.utils.CommonUtils;
 import io.jans.configapi.core.model.adminui.AUIConfiguration;
 import io.jans.configapi.core.model.adminui.AdminUISession;
@@ -29,7 +30,12 @@
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.slf4j.Logger;
+
 import java.util.*;
+import java.util.concurrent.TimeUnit;
+
+import static io.jans.ca.plugin.adminui.utils.CommonUtils.addMinutes;
+
 import static io.jans.as.model.util.Util.escapeLog;
 
 @ApplicationScoped
@@ -54,6 +60,9 @@ public class AdminUISessionService {
     @Inject
     ConfigHttpService httpService;
 
+    @Inject
+    AUIConfigurationService auiConfigurationService;
+
     /**
      * Builds the LDAP distinguished name (DN) for a session identifier.
      *
@@ -89,14 +98,79 @@ public AdminUISession getSession(String sessionId) {
         return configApiSession;
     }
 
+    /**
+     * Updates the expiration time of an Admin UI session based on user activity.
+     * <p>
+     * After a successful login, an {@link AdminUISession} is persisted in the database
+     * with an expiration date derived from the configured session timeout. On each
+     * subsequent request, this method may extend the session expiration to enforce
+     * an idle-based logout policy.
+     * </p>
+     *
+     * <p>
+     * The session expiration is refreshed only when:
+     * <ul>
+     *   <li>The session and its expiration date are not {@code null}</li>
+     *   <li>More than 30 seconds has passed since the session was last updated</li>
+     * </ul>
+     * </p>
+     *
+     * <p>
+     * This approach prevents frequent database updates while ensuring that an
+     * active user session remains valid and a force logout occurs only when the
+     * application has been idle longer than the configured
+     * {@code max_idle_time}.
+     * </p>
+     *
+     * @param adminUISession the persisted Admin UI session to be evaluated and updated
+     */
+    public void updateSessionExpiryDate(AdminUISession adminUISession) {
+        if (adminUISession == null || adminUISession.getExpirationDate() == null) {
+            return;
+        }
+        try {
+            Date lastUpdated = adminUISession.getLastUpdated();
+            long nowMillis = System.currentTimeMillis();
+
+            // Update expiry date only if last update was more than 30 sec ago : the intent of the 30-second throttle is to reduce database writes
+            if (lastUpdated != null) {
+                long secondsSinceLastUpdate =
+                        TimeUnit.MILLISECONDS.toSeconds(nowMillis - lastUpdated.getTime());
+
+                if (secondsSinceLastUpdate < 30) {
+                    return;
+                }
+            }
+
+            AUIConfiguration config = auiConfigurationService.getAUIConfiguration();
+            if (config == null || config.getSessionTimeoutInMins() == null) {
+                logger.warn("AUI configuration is null, cannot update session expiry");
+                return;
+            }
+            int sessionTimeoutMins = config.getSessionTimeoutInMins();
+
+            Date now = new Date(nowMillis);
+            // do not update if the sesiion is already expired. AdminUICookieFilter will remove this session.
+            if (adminUISession.getExpirationDate().before(now)) {
+                return;
+            }
+            adminUISession.setExpirationDate(addMinutes(now, sessionTimeoutMins));
+            adminUISession.setLastUpdated(now);
+            persistenceEntryManager.merge(adminUISession);
+        } catch (Exception e) {
+            logger.warn("Failed to update session expiry for session {}",
+                    adminUISession.getSessionId(), e);
+        }
+    }
+
     /**
      * Removes all AdminUISession entries whose expirationDate is earlier than the current time.
      * This method queries sessions under the service's session base DN and deletes any persisted
      * AdminUISession whose expiration date has already passed.
      */
     public void removeAllExpiredSessions() {
         final Filter filter = Filter.createPresenceFilter(SID);
-        List<AdminUISession> adminUISessions =  persistenceEntryManager.findEntries(SESSION_DN, AdminUISession.class, filter);
+        List<AdminUISession> adminUISessions = persistenceEntryManager.findEntries(SESSION_DN, AdminUISession.class, filter);
         Date currentDate = new Date();
         adminUISessions.stream().filter(ele ->
                         ((ele.getExpirationDate().getTime() - currentDate.getTime()) < 0))
@@ -106,7 +180,7 @@ public void removeAllExpiredSessions() {
     /**
      * Checks whether a cached token is active by calling the Admin UI introspection endpoint.
      *
-     * @param token the token to introspect; may be null or empty
+     * @param token            the token to introspect; may be null or empty
      * @param auiConfiguration configuration holding the introspection endpoint URL
      * @return `true` if the introspection response contains `"active": true`, `false` otherwise
      * @throws JsonProcessingException if the introspection response body cannot be parsed as JSON
@@ -124,7 +198,7 @@ public boolean isCachedTokenValid(String token, AUIConfiguration auiConfiguratio
                 .executePost(auiConfiguration.getAuiBackendApiServerIntrospectionEndpoint(),
                         token, CommonUtils.toUrlEncodedString(body),
                         ContentType.APPLICATION_FORM_URLENCODED,
-                        "Bearer " );
+                        "Bearer ");
         String jsonString = null;
         if (httpServiceResponse.getHttpResponse() != null
                 && httpServiceResponse.getHttpResponse().getStatusLine() != null) {
@@ -133,15 +207,15 @@ public boolean isCachedTokenValid(String token, AUIConfiguration auiConfiguratio
                     "httpServiceResponse.getHttpResponse():{}, httpServiceResponse.getHttpResponse().getStatusLine():{}, httpServiceResponse.getHttpResponse().getEntity():{}",
                     httpServiceResponse.getHttpResponse(), httpServiceResponse.getHttpResponse().getStatusLine(),
                     httpServiceResponse.getHttpResponse().getEntity());
-            if(httpServiceResponse.getHttpResponse().getStatusLine().getStatusCode() == 200) {
+            if (httpServiceResponse.getHttpResponse().getStatusLine().getStatusCode() == 200) {
                 ObjectMapper mapper = new ObjectMapper();
 
                 HttpEntity httpEntity = httpServiceResponse.getHttpResponse().getEntity();
                 if (httpEntity != null) {
                     jsonString = httpService.getContent(httpEntity);
 
                     HashMap<String, Object> payloadMap = mapper.readValue(jsonString, HashMap.class);
-                    if(payloadMap.containsKey("active")) {
+                    if (payloadMap.containsKey("active")) {
                         return (boolean) payloadMap.get("active");
                     }
                     return false;
@@ -157,7 +231,7 @@ public boolean isCachedTokenValid(String token, AUIConfiguration auiConfiguratio
      *
      * @param ujwtString       the user-info JWT to include in the token request; must be non-null and non-empty to generate a token
      * @param auiConfiguration configuration containing the backend token endpoint, client ID, encrypted client secret, and redirect URI
-     * @return                 a TokenResponse containing the access token, or `null` if `ujwtString` is null or empty
+     * @return a TokenResponse containing the access token, or `null` if `ujwtString` is null or empty
      * @throws StringEncrypter.EncryptionException if decrypting the client secret fails
      * @throws JsonProcessingException             if parsing token responses fails
      */
@@ -187,14 +261,14 @@ public TokenResponse getApiProtectionToken(String ujwtString, AUIConfiguration a
     }
 
     /**
-         * Exchange token request parameters with the authorization server and return parsed token response parameters.
-         *
-         * @param tokenRequest  token request details (grant type, client credentials, redirect URI; may include authorization code and PKCE verifier)
-         * @param tokenEndpoint the token endpoint URL to call
-         * @param userInfoJwt   optional user-info JWT to include as the `ujwt` parameter
-         * @return              a map of token response parameters (for example `access_token`, `expires_in`) with any `token_type` entry removed
-         * @throws ConfigApiApplicationException if the HTTP exchange fails or the response cannot be parsed as JSON
-         */
+     * Exchange token request parameters with the authorization server and return parsed token response parameters.
+     *
+     * @param tokenRequest  token request details (grant type, client credentials, redirect URI; may include authorization code and PKCE verifier)
+     * @param tokenEndpoint the token endpoint URL to call
+     * @param userInfoJwt   optional user-info JWT to include as the `ujwt` parameter
+     * @return a map of token response parameters (for example `access_token`, `expires_in`) with any `token_type` entry removed
+     * @throws ConfigApiApplicationException if the HTTP exchange fails or the response cannot be parsed as JSON
+     */
     public Map<String, Object> getToken(TokenRequest tokenRequest, String tokenEndpoint, String userInfoJwt) throws ConfigApiApplicationException {
 
         try {
@@ -221,7 +295,7 @@ public Map<String, Object> getToken(TokenRequest tokenRequest, String tokenEndpo
 
             HttpServiceResponse httpServiceResponse = httpService
                     .executePost(tokenEndpoint, tokenRequest.getEncodedCredentials(), CommonUtils.toUrlEncodedString(body), ContentType.APPLICATION_FORM_URLENCODED,
-                            "Basic " );
+                            "Basic ");
             String jsonString = null;
             if (httpServiceResponse.getHttpResponse() != null
                     && httpServiceResponse.getHttpResponse().getStatusLine() != null) {
@@ -230,7 +304,7 @@ public Map<String, Object> getToken(TokenRequest tokenRequest, String tokenEndpo
                         " FINAL  httpServiceResponse.getHttpResponse():{}, httpServiceResponse.getHttpResponse().getStatusLine():{}, httpServiceResponse.getHttpResponse().getEntity():{}",
                         httpServiceResponse.getHttpResponse(), httpServiceResponse.getHttpResponse().getStatusLine(),
                         httpServiceResponse.getHttpResponse().getEntity());
-                if(httpServiceResponse.getHttpResponse().getStatusLine().getStatusCode() == 200) {
+                if (httpServiceResponse.getHttpResponse().getStatusLine().getStatusCode() == 200) {
                     ObjectMapper mapper = new ObjectMapper();
 
                     HttpEntity httpEntity = httpServiceResponse.getHttpResponse().getEntity();

jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/service/auth/OAuth2Service.java

@@ -177,6 +177,7 @@ public void setAdminUISession(String sessionId, String ujwt) throws ApplicationE
         adminUISession.setUjwt(ujwt);
         adminUISession.setJansUsrDN(getDnForUser((String) claims.get("inum")));
         adminUISession.setCreationDate(currentDate);
+        adminUISession.setLastUpdated(currentDate);
         adminUISession.setExpirationDate(addMinutes(currentDate, auiConfiguration.getSessionTimeoutInMins()));
 
         entryManager.persist(adminUISession);

jans-config-api/shared/src/main/java/io/jans/configapi/core/model/adminui/AdminUISession.java

@@ -26,6 +26,8 @@ public class AdminUISession {
     private Date creationDate = new Date();
     @AttributeName(name = "exp")
     private Date expirationDate;
+    @AttributeName(name = "jansLastAccessTime")
+    private Date lastUpdated;
 
     /**
      * Gets the distinguished name (DN) for this entry.
@@ -155,6 +157,14 @@ public void setJansUsrDN(String jansUsrDN) {
         this.jansUsrDN = jansUsrDN;
     }
 
+    public Date getLastUpdated() {
+        return lastUpdated;
+    }
+
+    public void setLastUpdated(Date lastUpdated) {
+        this.lastUpdated = lastUpdated;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (!(o instanceof AdminUISession)) return false;
@@ -177,6 +187,7 @@ public String toString() {
                 ", ujwt='" + ujwt + '\'' +
                 ", creationDate=" + creationDate +
                 ", expirationDate=" + expirationDate +
+                ", lastUpdated=" + lastUpdated +
                 '}';
     }
 }