[ISSUES #8417] throw a HttpSessionRequiredException when sessions expired

console-ui/src/utils/request.js

@@ -89,7 +89,7 @@ const request = () => {
 
         if (
           [401, 403].includes(status) &&
-          ['unknown user!', 'token invalid!', 'token expired!', 'authorization failed!'].includes(
+          ['unknown user!', 'token invalid!', 'token expired!', 'session expired!'].includes(
             message
           )
         ) {

console/src/main/resources/static/index.html

@@ -35,7 +35,7 @@
 	<link rel="stylesheet" type="text/css" href="console-ui/public/css/icon.css">
 	<link rel="stylesheet" type="text/css" href="console-ui/public/css/font-awesome.css">
 	<!-- 第三方css结束 -->
-<link href="./css/main.css?1cbbea1b0db3eec7912c" rel="stylesheet"></head>
+<link href="./css/main.css?fc5d786f5bd050c52a07" rel="stylesheet"></head>
 
 <body>
 	<div id="root" style="overflow:hidden"></div>
@@ -56,6 +56,6 @@
 	<script src="console-ui/public/js/merge.js"></script>
 	<script src="console-ui/public/js/loader.js"></script>
 	<!-- 第三方js结束 -->
-<script type="text/javascript" src="./js/main.js?1cbbea1b0db3eec7912c"></script></body>
+<script type="text/javascript" src="./js/main.js?fc5d786f5bd050c52a07"></script></body>
 
 </html>

plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/controller/UserController.java

@@ -43,6 +43,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.web.HttpSessionRequiredException;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -55,7 +56,6 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.List;
-import java.util.Objects;
 
 /**
  * User related methods entry.
@@ -144,11 +144,16 @@ public Object deleteUser(@RequestParam String username) {
     public Object updateUser(@RequestParam String username, @RequestParam String newPassword,
             HttpServletResponse response, HttpServletRequest request) throws IOException {
         // admin or same user
-        if (!hasPermission(username, request)) {
-            response.sendError(HttpServletResponse.SC_FORBIDDEN, "authorization failed!");
+        try {
+            if (!hasPermission(username, request)) {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN, "authorization failed!");
+                return null;
+            }
+        } catch (HttpSessionRequiredException e) {
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "session expired!");
             return null;
         }
-        
+
         User user = userDetailsService.getUserFromDatabase(username);
         if (user == null) {
             throw new IllegalArgumentException("user " + username + " not exist!");
@@ -159,15 +164,14 @@ public Object updateUser(@RequestParam String username, @RequestParam String new
         return RestResultUtils.success("update user ok!");
     }
 
-    private boolean hasPermission(String username, HttpServletRequest request) {
+    private boolean hasPermission(String username, HttpServletRequest request) throws HttpSessionRequiredException {
         if (!authConfigs.isAuthEnabled()) {
             return true;
         }
-        if (Objects.isNull(request.getSession().getAttribute(AuthConstants.NACOS_USER_KEY))) {
-            return false;
-        }
-
         NacosUser user = (NacosUser) request.getSession().getAttribute(AuthConstants.NACOS_USER_KEY);
+        if (user == null) {
+            throw new HttpSessionRequiredException("session expired!");
+        }
         // admin
         if (user.isGlobalAdmin()) {
             return true;

plugin-default-impl/src/test/java/com/alibaba/nacos/plugin/auth/impl/controller/UserControllerTest.java

@@ -24,20 +24,25 @@
 import com.alibaba.nacos.plugin.auth.impl.constant.AuthSystemTypes;
 import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
 import com.fasterxml.jackson.databind.JsonNode;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.mock.web.MockHttpSession;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.lang.reflect.Field;
 import java.util.Properties;
 
 import static org.hamcrest.CoreMatchers.instanceOf;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -93,6 +98,15 @@ public void testLoginWithAuthedUser() throws AccessException {
         assertTrue(actualString.contains("\"globalAdmin\":true"));
     }
 
+    @Test
+    public void testSessionExpiredThrowHttpSessionRequiredException() throws IOException {
+        when(authConfigs.isAuthEnabled()).thenReturn(true);
+        when(request.getSession()).thenReturn(new MockHttpSession());
+        Object o = userController.updateUser("nacos", "qwe12345", response, request);
+        Assert.assertNull(o);
+        verify(response).sendError(eq(HttpServletResponse.SC_UNAUTHORIZED), eq("session expired!"));
+    }
+
     private void injectObject(String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
         Field field = UserController.class.getDeclaredField(fieldName);
         field.setAccessible(true);