Author: gk
Date: Thu Oct 19 06:40:28 2017
New Revision: 1812601
URL: http://svn.apache.org/viewvc?rev=1812601&view=rev
Log:
- refactoring sessionvalidator
- minor bugfixes
Modified:
turbine/core/trunk/pom.xml
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/DefaultSessionValidator.java
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/SessionValidator.java
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSecureSessionValidator.java
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSessionValidator.java
turbine/core/trunk/src/java/org/apache/turbine/services/uniqueid/TurbineUniqueIdService.java
Modified: turbine/core/trunk/pom.xml
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/pom.xml?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
--- turbine/core/trunk/pom.xml (original)
+++ turbine/core/trunk/pom.xml Thu Oct 19 06:40:28 2017
@@ -965,7 +965,7 @@
<version>1.1.0</version>
</dependency>
<dependency>
- <!-- TODO update to 2.7.1, because of CVE-2016-4000 -->
+ <!-- TODO update to stable 2.7.1, because of CVE-2016-5699 -->
<groupId>org.python</groupId>
<artifactId>jython</artifactId>
<version>2.7.0</version>
Modified:
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/DefaultSessionValidator.java
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/DefaultSessionValidator.java?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
---
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/DefaultSessionValidator.java
(original)
+++
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/DefaultSessionValidator.java
Thu Oct 19 06:40:28 2017
@@ -25,10 +25,8 @@ import org.apache.commons.logging.LogFac
import org.apache.turbine.Turbine;
import org.apache.turbine.TurbineConstants;
import org.apache.turbine.annotation.TurbineConfiguration;
-import org.apache.turbine.annotation.TurbineService;
import org.apache.turbine.om.security.User;
import org.apache.turbine.pipeline.PipelineData;
-import org.apache.turbine.services.security.SecurityService;
import org.apache.turbine.util.RunData;
/**
@@ -62,9 +60,6 @@ public class DefaultSessionValidator
/** Logging */
private static Log log = LogFactory.getLog(DefaultSessionValidator.class);
- @TurbineService
- private SecurityService security;
-
@TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE )
private String loginMessage;
@@ -74,11 +69,6 @@ public class DefaultSessionValidator
@TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE_NOSCREEN )
private String loginMessageNoScreen;
- @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
- private String screenHomepage;
-
- @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
- private String screenInvalidState;
/**
* Execute the action. The default is to populate the PipelineData
@@ -131,19 +121,7 @@ public class DefaultSessionValidator
data.setScreen(screenHomepage);
}
- if (data.getParameters().containsKey("_session_access_counter"))
- {
- // See comments in screens.error.InvalidState.
- if (data.getParameters().getInt("_session_access_counter")
- < (((Integer) data.getUser().getTemp(
- "_session_access_counter")).intValue() - 1))
- {
- data.getUser().setTemp("prev_screen", data.getScreen());
- data.getUser().setTemp("prev_parameters",
data.getParameters());
- data.setScreen(screenInvalidState);
- data.setAction("");
- }
- }
+ handleFormCounterToken(data,true);
// Comply with Turbine 4.0 standards
pipelineData.get(Turbine.class).put(User.class, data.getUser());
Modified:
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/SessionValidator.java
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/SessionValidator.java?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
---
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/SessionValidator.java
(original)
+++
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/SessionValidator.java
Thu Oct 19 06:40:28 2017
@@ -1,5 +1,9 @@
package org.apache.turbine.modules.actions.sessionvalidator;
+import org.apache.turbine.TurbineConstants;
+import org.apache.turbine.annotation.TurbineConfiguration;
+import org.apache.turbine.annotation.TurbineService;
+
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
@@ -20,6 +24,8 @@ package org.apache.turbine.modules.actio
*/
import org.apache.turbine.modules.Action;
+import org.apache.turbine.services.security.SecurityService;
+import org.apache.turbine.util.RunData;
/**
* The SessionValidator attempts to retrieve the User object from the
@@ -46,5 +52,73 @@ import org.apache.turbine.modules.Action
*/
public abstract class SessionValidator extends Action
{
+
+ @TurbineService
+ protected SecurityService security;
+
+ @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE )
+ protected String templateHomepage;
+
+ @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
+ protected String screenHomepage;
+
+ @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE )
+ protected String templateInvalidState;
+
+ @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
+ protected String screenInvalidState;
+
+ // the session_access_counter can be placed as a hidden field in
+ // forms. This can be used to prevent a user from using the
+ // browsers back button and submitting stale data.
+ /**
+ *
+ * @param data
+ * @param screenOnly {@link DefaultSessionValidator}
+ */
+ protected void handleFormCounterToken( RunData data, boolean screenOnly )
+ {
+ if (data.getParameters().containsKey("_session_access_counter"))
+ {
+ if (screenOnly) {
+ // See comments in screens.error.InvalidState.
+ if (data.getParameters().getInt("_session_access_counter")
+ < (((Integer) data.getUser().getTemp(
+ "_session_access_counter")).intValue() - 1))
+ {
+ data.getUser().setTemp("prev_screen", data.getScreen());
+ data.getUser().setTemp("prev_parameters",
data.getParameters());
+ data.setScreen(screenInvalidState);
+ data.setAction("");
+ }
+ } else {
+ if (!security.isAnonymousUser(data.getUser()))
+ {
+ // See comments in screens.error.InvalidState.
+ if (data.getParameters().getInt("_session_access_counter")
+ < (((Integer) data.getUser().getTemp(
+ "_session_access_counter")).intValue() - 1))
+ {
+ if (data.getTemplateInfo().getScreenTemplate() != null)
+ {
+ data.getUser().setTemp("prev_template",
+ data.getTemplateInfo().getScreenTemplate()
+ .replace('/', ','));
+
data.getTemplateInfo().setScreenTemplate(templateInvalidState);
+ }
+ else
+ {
+ data.getUser().setTemp("prev_screen",
+
data.getScreen().replace('/', ','));
+ data.setScreen(screenInvalidState);
+ }
+ data.getUser().setTemp("prev_parameters",
data.getParameters());
+ data.setAction("");
+ }
+ }
+ }
+ }
+
+ }
// empty
}
Modified:
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSecureSessionValidator.java
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSecureSessionValidator.java?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
---
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSecureSessionValidator.java
(original)
+++
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSecureSessionValidator.java
Thu Oct 19 06:40:28 2017
@@ -39,7 +39,7 @@ import org.apache.turbine.util.RunData;
*
* Templating services requires a different Session Validator
* because of the way it handles screens. If you use the WebMacro or
- * Velocity Service with the DefaultSessionValidator, users will be able to
+ * Velocity Service with the {@link DefaultSessionValidator}, users will be
able to
* bypass login by directly addressing the template using
* template/index.wm. This is because the Page class looks for the
* keyword "template" in the Path information and if it finds it will
@@ -62,8 +62,6 @@ public class TemplateSecureSessionValida
private static Log log = LogFactory.getLog(
TemplateSecureSessionValidator.class);
- @TurbineService
- private SecurityService security;
@TurbineConfiguration( TurbineConstants.LOGIN_MESSAGE )
private String loginMessage;
@@ -71,17 +69,6 @@ public class TemplateSecureSessionValida
@TurbineConfiguration( TurbineConstants.TEMPLATE_LOGIN )
private String templateLogin;
- @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE )
- private String templateHomepage;
-
- @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
- private String screenHomepage;
-
- @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE )
- private String templateInvalidState;
-
- @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
- private String screenInvalidState;
/**
* doPerform is virtually identical to DefaultSessionValidator
@@ -148,37 +135,8 @@ public class TemplateSecureSessionValida
{
data.setScreen(screenHomepage);
}
- }
-
- // The session_access_counter can be placed as a hidden field in
- // forms. This can be used to prevent a user from using the
- // browsers back button and submitting stale data.
- // FIXME!! a template needs to be written to use this with templates.
-
- if (data.getParameters().containsKey("_session_access_counter")
- && !security.isAnonymousUser(data.getUser()))
- {
- // See comments in screens.error.InvalidState.
- if (data.getParameters().getInt("_session_access_counter")
- < (((Integer) data.getUser().getTemp(
- "_session_access_counter")).intValue() - 1))
- {
- if (data.getTemplateInfo().getScreenTemplate() != null)
- {
- data.getUser().setTemp("prev_template",
- data.getTemplateInfo().getScreenTemplate()
- .replace('/', ','));
-
data.getTemplateInfo().setScreenTemplate(templateInvalidState);
- }
- else
- {
- data.getUser().setTemp("prev_screen",
- data.getScreen().replace('/', ','));
- data.setScreen(screenInvalidState);
- }
- data.getUser().setTemp("prev_parameters",
data.getParameters());
- data.setAction("");
- }
+ } else {
+ handleFormCounterToken(data, false);
}
// We do not want to allow both a screen and template parameter.
Modified:
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSessionValidator.java
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSessionValidator.java?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
---
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSessionValidator.java
(original)
+++
turbine/core/trunk/src/java/org/apache/turbine/modules/actions/sessionvalidator/TemplateSessionValidator.java
Thu Oct 19 06:40:28 2017
@@ -23,18 +23,14 @@ import org.apache.commons.lang.StringUti
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.turbine.Turbine;
-import org.apache.turbine.TurbineConstants;
-import org.apache.turbine.annotation.TurbineConfiguration;
-import org.apache.turbine.annotation.TurbineService;
import org.apache.turbine.om.security.User;
import org.apache.turbine.pipeline.PipelineData;
-import org.apache.turbine.services.security.SecurityService;
import org.apache.turbine.util.RunData;
/**
* SessionValidator for use with the Template Service, the
* TemplateSessionValidator is virtually identical to the
- * TemplateSecureValidator except that it does not transfer to the
+ * {@link TemplateSecureSessionValidator} except that it does not transfer to
the
* login page when it detects a null user (or a user not logged in).
*
* <p>The Template Service requires a different Session Validator
@@ -56,21 +52,6 @@ public class TemplateSessionValidator
/** Logging */
private static Log log = LogFactory.getLog(TemplateSessionValidator.class);
- @TurbineService
- private SecurityService security;
-
- @TurbineConfiguration( TurbineConstants.TEMPLATE_HOMEPAGE )
- private String templateHomepage;
-
- @TurbineConfiguration( TurbineConstants.SCREEN_HOMEPAGE )
- private String screenHomepage;
-
- @TurbineConfiguration( TurbineConstants.TEMPLATE_INVALID_STATE )
- private String templateInvalidState;
-
- @TurbineConfiguration( TurbineConstants.SCREEN_INVALID_STATE )
- private String screenInvalidState;
-
/**
* Execute the action.
*
@@ -106,34 +87,8 @@ public class TemplateSessionValidator
{
data.setScreen(screenHomepage);
}
- }
- // the session_access_counter can be placed as a hidden field in
- // forms. This can be used to prevent a user from using the
- // browsers back button and submitting stale data.
- else if (data.getParameters().containsKey("_session_access_counter")
- && !security.isAnonymousUser(data.getUser()))
- {
- // See comments in screens.error.InvalidState.
- if (data.getParameters().getInt("_session_access_counter")
- < (((Integer) data.getUser().getTemp(
- "_session_access_counter")).intValue() - 1))
- {
- if (data.getTemplateInfo().getScreenTemplate() != null)
- {
- data.getUser().setTemp("prev_template",
- data.getTemplateInfo().getScreenTemplate()
- .replace('/', ','));
-
data.getTemplateInfo().setScreenTemplate(templateInvalidState);
- }
- else
- {
- data.getUser().setTemp("prev_screen",
- data.getScreen().replace('/', ','));
- data.setScreen(screenInvalidState);
- }
- data.getUser().setTemp("prev_parameters",
data.getParameters());
- data.setAction("");
- }
+ } else {
+ handleFormCounterToken(data, false);
}
// we do not want to allow both a screen and template parameter.
Modified:
turbine/core/trunk/src/java/org/apache/turbine/services/uniqueid/TurbineUniqueIdService.java
URL:
http://svn.apache.org/viewvc/turbine/core/trunk/src/java/org/apache/turbine/services/uniqueid/TurbineUniqueIdService.java?rev=1812601&r1=1812600&r2=1812601&view=diff
==============================================================================
---
turbine/core/trunk/src/java/org/apache/turbine/services/uniqueid/TurbineUniqueIdService.java
(original)
+++
turbine/core/trunk/src/java/org/apache/turbine/services/uniqueid/TurbineUniqueIdService.java
Thu Oct 19 06:40:28 2017
@@ -75,7 +75,7 @@ public class TurbineUniqueIdService
MessageDigest md = MessageDigest.getInstance("MD5");
byte [] bytesId = md.digest(url.getBytes("UTF-8"));
- turbineId = new String(Base64.encodeBase64(bytesId));
+ turbineId = new String(Base64.encodeBase64(bytesId),"UTF-8");
log.info("This is Turbine instance running at: " + url);
log.info("The instance id is #" + turbineId);
