OO-290: synchronize login in WebDAV as in standard OLAT Servlet

src/main/java/org/olat/commons/servlets/WebDAVManagerImpl.java

@@ -107,7 +107,9 @@ public class WebDAVManagerImpl extends WebDAVManager {
 		if (authHeader != null) {
 			// fetch user session from a previous authentication
 			UserSession usess = (UserSession)timedSessionCache.get(authHeader);
-			if (usess != null && usess.isAuthenticated()) return usess;
+			if (usess != null && usess.isAuthenticated()) {
+				return usess;
+			}
 			
 			StringTokenizer st = new StringTokenizer(authHeader);
 			if (st.hasMoreTokens()) {
@@ -116,63 +118,14 @@ public class WebDAVManagerImpl extends WebDAVManager {
 				// We only handle HTTP Basic authentication
 				if (basic.equalsIgnoreCase("Basic")) {
 					String credentials = st.nextToken();
-
-					// This example uses sun.misc.* classes.
-					// You will need to provide your own
-					// if you are not comfortable with that.
-					String userPass = Base64Decoder.decode(credentials);
-
-					// The decoded string is in the form
-					// "userID:password".
-					int p = userPass.indexOf(":");
-					if (p != -1) {
-						String userID = userPass.substring(0, p);
-						String password = userPass.substring(p + 1);
-						
-						// Validate user ID and password
-						// and set valid true if valid.
-						// In this example, we simply check
-						// that neither field is blank
-						Identity identity = WebDAVAuthManager.authenticate(userID, password);
-						if (identity != null) {
-							usess = UserSession.getUserSession(request);
-							usess.signOffAndClear();
-							usess.setIdentity(identity);
-							UserDeletionManager.getInstance().setIdentityAsActiv(identity);
-							// set the roles (admin, author, guest)
-							Roles roles = BaseSecurityManager.getInstance().getRoles(identity);
-							usess.setRoles(roles);
-							// set authprovider
-							//usess.getIdentityEnvironment().setAuthProvider(OLATAuthenticationController.PROVIDER_OLAT);
-						
-							// set session info
-							SessionInfo sinfo = new SessionInfo(identity.getName(), request.getSession());
-							User usr = identity.getUser();
-							sinfo.setFirstname(usr.getProperty(UserConstants.FIRSTNAME, null));
-							sinfo.setLastname(usr.getProperty(UserConstants.LASTNAME, null));
-							sinfo.setFromIP(request.getRemoteAddr());
-							sinfo.setFromFQN(request.getRemoteAddr());
-							try {
-								InetAddress[] iaddr = InetAddress.getAllByName(request.getRemoteAddr());
-								if (iaddr.length > 0) sinfo.setFromFQN(iaddr[0].getHostName());
-							} catch (UnknownHostException e) {
-								 // ok, already set IP as FQDN
-							}
-							sinfo.setAuthProvider(BaseSecurityModule.getDefaultAuthProviderIdentifier());
-							sinfo.setUserAgent(request.getHeader("User-Agent"));
-							sinfo.setSecure(request.isSecure());
-							sinfo.setWebDAV(true);
-							sinfo.setWebModeFromUreq(null);
-							// set session info for this session
-							usess.setSessionInfo(sinfo);
-							//
-							usess.signOn();
-							timedSessionCache.put(authHeader, usess);
-							return usess;
-						}
-					}
+					usess = handleBasicAuthentication(credentials, request);
+					
 				}
 			}
+			
+			if(usess != null) {
+				timedSessionCache.put(authHeader, usess);
+			}
 		}
 
 		// If the user was not validated or the browser does not know about the realm yet, fail with a
@@ -191,6 +144,70 @@ public class WebDAVManagerImpl extends WebDAVManager {
 		return null;
 	}
 	
+	private UserSession handleBasicAuthentication(String credentials, HttpServletRequest request) {
+		// This example uses sun.misc.* classes.
+		// You will need to provide your own
+		// if you are not comfortable with that.
+		String userPass = Base64Decoder.decode(credentials);
+
+		// The decoded string is in the form
+		// "userID:password".
+		int p = userPass.indexOf(":");
+		if (p != -1) {
+			String userID = userPass.substring(0, p);
+			String password = userPass.substring(p + 1);
+			
+			// Validate user ID and password
+			// and set valid true if valid.
+			// In this example, we simply check
+			// that neither field is blank
+			Identity identity = WebDAVAuthManager.authenticate(userID, password);
+			if (identity != null) {
+				UserSession usess = UserSession.getUserSession(request);
+				synchronized(usess) {
+					//double check to prevent severals concurrent login
+					if(usess.isAuthenticated()) {
+						return usess;
+					}
+				
+					usess.signOffAndClear();
+					usess.setIdentity(identity);
+					UserDeletionManager.getInstance().setIdentityAsActiv(identity);
+					// set the roles (admin, author, guest)
+					Roles roles = BaseSecurityManager.getInstance().getRoles(identity);
+					usess.setRoles(roles);
+					// set authprovider
+					//usess.getIdentityEnvironment().setAuthProvider(OLATAuthenticationController.PROVIDER_OLAT);
+				
+					// set session info
+					SessionInfo sinfo = new SessionInfo(identity.getName(), request.getSession());
+					User usr = identity.getUser();
+					sinfo.setFirstname(usr.getProperty(UserConstants.FIRSTNAME, null));
+					sinfo.setLastname(usr.getProperty(UserConstants.LASTNAME, null));
+					sinfo.setFromIP(request.getRemoteAddr());
+					sinfo.setFromFQN(request.getRemoteAddr());
+					try {
+						InetAddress[] iaddr = InetAddress.getAllByName(request.getRemoteAddr());
+						if (iaddr.length > 0) sinfo.setFromFQN(iaddr[0].getHostName());
+					} catch (UnknownHostException e) {
+						 // ok, already set IP as FQDN
+					}
+					sinfo.setAuthProvider(BaseSecurityModule.getDefaultAuthProviderIdentifier());
+					sinfo.setUserAgent(request.getHeader("User-Agent"));
+					sinfo.setSecure(request.isSecure());
+					sinfo.setWebDAV(true);
+					sinfo.setWebModeFromUreq(null);
+					// set session info for this session
+					usess.setSessionInfo(sinfo);
+					//
+					usess.signOn();
+					return usess;
+				}
+			}
+		}
+		return null;
+	}
+	
 	
 	/**
 	 * @see org.olat.core.servlets.WebDAVManager#isEnabled()