finos · kevin-m-knight-gs · Mar 30, 2026 · Mar 30, 2026
@@ -37,11 +37,14 @@
 import org.finos.legend.server.pac4j.internal.UsernameFilter;
 import org.finos.legend.server.pac4j.kerberos.SubjectExecutor;
 import org.finos.legend.server.pac4j.mongostore.MongoDbSessionStore;
+import org.jspecify.annotations.NonNull;
 import org.pac4j.core.client.Client;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.context.JEEContext;
+import org.pac4j.core.context.WebContext;
 import org.pac4j.core.context.session.JEESessionStore;
 import org.pac4j.core.engine.decision.AlwaysUseSessionProfileStorageDecision;
+import org.pac4j.core.engine.decision.ProfileStorageDecision;
 import org.pac4j.core.http.url.DefaultUrlResolver;
 import org.pac4j.core.matching.matcher.Matcher;
 import org.pac4j.core.matching.matcher.PathMatcher;
@@ -235,7 +238,7 @@ ServletJaxRsContext.class, new ServletSessionStore()),
         securityFilterConfiguration.setAuthorizers(String.join(",", factory.getAuthorizers().keySet()));
         LegendSecurityLogic legendSecurityLogic = new LegendSecurityLogic<>();
         legendSecurityLogic.setClientFinder(legendConfig.getDefaultSecurityClient());
-        legendSecurityLogic.setProfileStorageDecision(new AlwaysUseSessionProfileStorageDecision<>());
+        legendSecurityLogic.setProfileStorageDecision(getProfileStorageDecision(legendConfig));
         factory.setSecurityLogic(legendSecurityLogic);
         factory.setServlet(servletConfiguration);
 
@@ -256,6 +259,15 @@ ServletJaxRsContext.class, new ServletSessionStore()),
         return factory;
     }
 
+    ProfileStorageDecision<WebContext> getProfileStorageDecision(LegendPac4jConfiguration legendConfig)
+    {
+        if (legendConfig.isAlwaysUseSessionStorage())
+        {
+            return new AlwaysUseSessionProfileStorageDecision<>();
+        }
+        return new LegendUserProfileStorageDecision<>();
+    }
+
     @Override
     protected void setupJettySession(Environment environment)
     {

@@ -50,6 +50,8 @@ public final class LegendPac4jConfiguration
     private List<String> bypassPaths = ImmutableList.of();
     private List<String> bypassBranches = ImmutableList.of();
     private List<String> trustedPackages = ImmutableList.of();
+    private boolean alwaysUseSessionStorage = false;
+    private Integer maxInactiveIntervalSec;
 
     public String getSessionTokenName()
     {
@@ -89,6 +91,26 @@ public List<String> getTrustedPackages()
         return trustedPackages;
     }
 
+    public boolean isAlwaysUseSessionStorage()
+    {
+        return alwaysUseSessionStorage;
+    }
+
+    public void setAlwaysUseSessionStorage(boolean alwaysUseSessionStorage)
+    {
+        this.alwaysUseSessionStorage = alwaysUseSessionStorage;
+    }
+
+    public Integer getMaxInactiveIntervalSec()
+    {
+        return maxInactiveIntervalSec;
+    }
+
+    public void setMaxInactiveIntervalSec(Integer maxInactiveIntervalSec)
+    {
+        this.maxInactiveIntervalSec = maxInactiveIntervalSec;
+    }
+
     public void setBypassBranches(List<String> bypassBranches)
     {
         this.bypassBranches = bypassBranches;

@@ -75,6 +75,35 @@ public void testPac4jFactoryWithMultipleClients() throws Exception
     ClientFinder finder = ((DefaultSecurityLogic)((SecurityFilter)s.getFilters()[0].getFilter()).getSecurityLogic()).getClientFinder();
     assertTrue(finder instanceof LegendClientFinder);
     ProfileStorageDecision storageDecision = ((DefaultSecurityLogic)((SecurityFilter)s.getFilters()[0].getFilter()).getSecurityLogic()).getProfileStorageDecision();
+    assertTrue(storageDecision instanceof LegendUserProfileStorageDecision);
+  }
+
+  @Test
+  public void testPac4jFactoryWithAlwaysUseSessionStorageSet() throws Exception
+  {
+    LegendPac4jConfiguration config = new LegendPac4jConfiguration();
+    config.setCallbackPrefix("/test");
+    config.setClients(ImmutableList.of(new TestClient(), new SecondTestClient()));
+    config.setDefaultClient(Collections.singletonList("SecondTestClient"));
+    config.setAlwaysUseSessionStorage(true);
+    LegendPac4jBundle<Configuration> bundle = new LegendPac4jBundle<>(c -> config);
+    Pac4jFactory factory = bundle.getPac4jFactory(new Configuration());
+    Config builtConfig = factory.build();
+    Environment e = new Environment("serverEnv", null, null, new MetricRegistry(), null, new HealthCheckRegistry());
+    bundle.run(new Configuration(),e);
+    assertEquals("/test/callback", factory.getCallbackUrl());
+    assertEquals(config.getClients(), factory.getClients());
+    assertEquals(Collections.singletonList("SecondTestClient"), ((LegendClientFinder)((DefaultSecurityLogic)builtConfig.getSecurityLogic()).getClientFinder()).getDefaultClients());
+    assertEquals(config.getClients(), builtConfig.getClients().getClients());
+    FilterHolder securityHolder = e.getApplicationContext().getServletHandler().getFilter(SecurityFilter.class.getName());
+    assertNotNull("Security filter holder cannot be null", securityHolder);
+    //initialize the filter so we can confirm swaps
+    ServletHandler s =  new ServletHandler();
+    s.addFilter(securityHolder);
+    s.initialize();
+    ClientFinder finder = ((DefaultSecurityLogic)((SecurityFilter)s.getFilters()[0].getFilter()).getSecurityLogic()).getClientFinder();
+    assertTrue(finder instanceof LegendClientFinder);
+    ProfileStorageDecision storageDecision = ((DefaultSecurityLogic)((SecurityFilter)s.getFilters()[0].getFilter()).getSecurityLogic()).getProfileStorageDecision();
     assertTrue(storageDecision instanceof AlwaysUseSessionProfileStorageDecision);
   }
 

@@ -111,6 +111,10 @@ public void run(org.finos.legend.server.shared.staticserver.StaticServerConfigur
                     Environment environment)
     {
         SessionHandler sessionHandler = new SessionHandler();
+        if (Objects.nonNull(staticServerConfiguration.getPac4j().getMaxInactiveIntervalSec()))
+        {
+            sessionHandler.setMaxInactiveInterval(staticServerConfiguration.getPac4j().getMaxInactiveIntervalSec());
+        }
         if (staticServerConfiguration.getSessionCookie() != null)
         {
             sessionHandler.setSessionCookie(staticServerConfiguration.getSessionCookie());