Thanks Andrew,
I have added your comment in
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
Jacques
From: <[email protected]>
Author: jaz
Date: Mon Jan 5 11:46:16 2009
New Revision: 731660
URL: http://svn.apache.org/viewvc?rev=731660&view=rev
Log:
implemented per-site "protect" settings. Instead of only per request or per instance (setting in security.properties), now we
support per application with a new <protect view="name_of_view"/> element in controller.xml. If the "protect" response is not
found, first it will check for a applicaiton default before falling back to per instance.
Modified:
ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=731660&r1=731659&r2=731660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original)
+++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Mon Jan 5 11:46:16 2009
@@ -26,6 +26,7 @@
<xs:element minOccurs="0" ref="owner"/>
<xs:element minOccurs="0" ref="errorpage"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="handler"/>
+ <xs:element minOccurs="0" maxOccurs="1" ref="protect"/>
<xs:element minOccurs="0" ref="firstvisit"/>
<xs:element minOccurs="0" ref="preprocessor"/>
<xs:element minOccurs="0" ref="postprocessor"/>
@@ -74,6 +75,14 @@
</xs:attribute>
<xs:attribute type="xs:string" name="class" use="required"/>
</xs:attributeGroup>
+ <xs:element name="protect">
+ <xs:complexType>
+ <xs:attributeGroup ref="attlist.protect"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:attributeGroup name="attlist.protect">
+ <xs:attribute type="xs:string" name="view" use="required"/>
+ </xs:attributeGroup>
<xs:element name="firstvisit">
<xs:complexType>
<xs:sequence>
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=731660&r1=731659&r2=731660&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java
Mon Jan 5 11:46:16 2009
@@ -171,6 +171,7 @@
/** Site Config Variables */
public static final String DEFAULT_ERROR_PAGE = "errorpage";
+ public static final String DEFAULT_PROTECT_VIEW = "protect";
public static final String SITE_OWNER = "owner";
public static final String SECURITY_CLASS = "security-class";
public static final String FIRSTVISIT = "firstvisit";
@@ -501,6 +502,14 @@
String errorpage = UtilXml.childElementValue(root, DEFAULT_ERROR_PAGE);
if (UtilValidate.isNotEmpty(errorpage)) map.put(DEFAULT_ERROR_PAGE,
errorpage);
+ // default protect view
+ Element protectElement = UtilXml.firstChildElement(root,
DEFAULT_PROTECT_VIEW);
+ String protectview;
+ if (protectElement != null) {
+ protectview = protectElement.getAttribute("view");
+ if (protectview != null) map.put(DEFAULT_PROTECT_VIEW,
protectview);
+ }
+
// site owner
String owner = UtilXml.childElementValue(root, SITE_OWNER);
if (UtilValidate.isNotEmpty(owner)) map.put(SITE_OWNER, owner);
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=731660&r1=731659&r2=731660&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Mon Jan 5 11:46:16 2009
@@ -230,7 +230,10 @@
eventReturnString = "protect";
// check to see if there is an "protect" response, if so it's ok else show the
default_error_response_view
if (null ==
requestManager.getRequestAttribute(requestUri, "protect")) {
- nextView = UtilProperties.getPropertyValue("security.properties",
"default.error.response.view");
+ nextView =
requestManager.getDefaultProtectView();
+ if (nextView == null) {
+ nextView = UtilProperties.getPropertyValue("security.properties",
"default.error.response.view");
+ }
}
}
} else if (returnString == null) {
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java?rev=731660&r1=731659&r2=731660&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestManager.java
Mon Jan 5 11:46:16 2009
@@ -298,6 +298,11 @@
return "/error/error.jsp";
}
+ /** Gets the default "protect" view; used when no "protect" response type
and :_protect_: is used */
+ public String getDefaultProtectView() {
+ return (String)
ConfigXMLReader.getConfigMap(configFileUrl).get(ConfigXMLReader.DEFAULT_PROTECT_VIEW);
+ }
+
public boolean requiresAuth(String uriStr) {
Map<String, Object> uri = getRequestMapMap(uriStr);
