[ofbiz-framework] branch release18.12 updated: Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

jleroux Sat, 13 Feb 2021 03:33:34 -0800

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git



The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1ed018c  Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on 
non-authentication pages (OFBIZ-12047)
1ed018c is described below

commit 1ed018c677836b4eebb1ba82da8a12ee983474a4
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Feb 13 12:29:02 2021 +0100

    Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication 
pages (OFBIZ-12047)
    
    After some small study, it seem there is a problem because login request not
    require authentication
    
    I have tried to add a test to check if current request is login and only if 
it's
    not to remove PREVIOUS_REQUEST Session Attribute, it seem better with this
    modification.
    
    Thanks: Olivier for the patch and Michael for suggesting to parameterize 
using
    a property. I simply used EntityUtilProperties.getPropertyValue instead of
    UtilProperties.getPropertyValue
    
    Conflicts: handled by hand
     framework/security/config/security.properties
---
 framework/security/config/security.properties               |  6 +++++-
 .../org/apache/ofbiz/webapp/control/RequestHandler.java     | 13 +++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index a5159f7..6ee20ea 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -184,7 +184,7 @@ templateClassResolver=
 #--
 #-- If you want to get more image formats then use imageJ:
 #-- For imagejSupportedFormats see 
https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej.
 NOTE: plugins support is important here
-#-- 
imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lu
 [...]
+#-- 
imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lu
 [...]
 #--
 #-- PDFBox and PDFReader are used for PDF files
 #--
@@ -195,3 +195,7 @@ templateClassResolver=
 #-- people may like to allow more than what is allowed OOTB
 #-- As it name says, allowAllUploads opens all possibilities
 allowAllUploads=
+
+#-- uri used for login (cf jira OFBIZ-12047)
+#-- it's a list, each uri should be separated by comma, without space
+login.uris=login
\ No newline at end of file
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index e2cc912..8490af0 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -502,8 +502,17 @@ public class RequestHandler {
                 }
             }
         } else {
-            // Remove previous request attribute on navigation to 
non-authenticated request
-            request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            String[] loginUris = 
EntityUtilProperties.getPropertyValue("security", "login.uris", 
delegator).split(",");
+            boolean removePreviousRequest = true;
+            for (int i = 0; i < loginUris.length; i++) {
+                if (requestUri.equals(loginUris[i])) {
+                    removePreviousRequest = false;
+                }
+            }
+            if (removePreviousRequest) {
+                // Remove previous request attribute on navigation to 
non-authenticated request
+                request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            }
         }
 
         if (request.getAttribute("targetRequestUri") == null) {

[ofbiz-framework] branch release18.12 updated: Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

Reply via email to