Hi Andrea,
Yeah, tried that but (presumably) because some processing has already
been done on the request I get an IllegalStateException, plus a redirect
doesn't feel right, it's more a retry of the same request. Anyhow, I
fixed it up by just adjusting the AuthorizationException handling in
DSpaceServlet to re-try the request after a successful authentication as
follows:
catch (AuthorizeException ae)
{
/*
* If no user is logged in, we will start authentication,
since if
* they authenticate, they might be allowed to do what they
tried to
* do. If someone IS logged in, and we got this exception,
we know
* they tried to do something they aren't allowed to, so we
display
* an error in that case.
*/
{
if (context.getCurrentUser() != null)
{
log.info(LogManager.getHeader(context,
"authorize_error", ae.toString()));
JSPManager.showAuthorizeError(request, response,
ae);
}
else
{
if (Authenticate.startAuthentication(context,
request, response))
{
doGet(request,response);
}
}
}
Not sure if that's the best way but it appears to have no side-effects.
Note there is a comment that suggests Bitstream shouldn't throw an
exception after an authorization failure but rather return a failure
status or Exception object, but I didn't really have time to investigate
this (or more specifically the side-effects this might cause elsewhere).
I'm not sure why the MIT X509 login doesn't have this issue since it's
also an implicit login, so I may have missed something along the way
that avoids this situation in the first place.
Anyhow if this "fix" is any use if someone of DSpace
authentication/authorization guru status let me know I can apply this in
SVN or submit a patch.
Scott.
Andrea Bollini wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
> Scott if this is not a bug it is a problem ;-) ...
> A simple solution, as you remark, can be add redirection also at
> implicit authentication i.e.
> in org.dspace.app.webui.util.Authenticate, line 195 add
> response.sendRedirect(UIUtil.getOriginalURL(request));
> Andrea
>
> Scott Yeadon wrote:
>
>> OK, it's not null, the authentication succeeds, but since the code drops
>> down into the AuthorizationException handling of the DSpaceServlet.java,
>> there is no redirection (implicit authentication) so it bombs out. Is
>> this a bug?
>>
>> Scott.
>>
>> Scott Yeadon wrote:
>>
>>> Hi All,
>>>
>>> I have a stackable authentication class which obtains credentials from
>>> a request. When I access a protected bitstream, the auth class works
>>> (credentials are parsed and all ok) however the context user is still
>>> null although setCurrentUser() is called before returning the SUCCESS
>>> status. The flow is:
>>>
>>> - attempt to access protected bitstream
>>> - AuhorizeAction happens, fails, throws AuthorizeException
>>> - Authenticate.startAuthentication occurs and my class in invoked with
>>> success
>>> - After return from startAuthentication the currentUser is still null
>>> (even though explicitly being set in the authenticate method), so the
>>> request fails with access denied to user 0 (default value when
>>> getCurrentUser() is null). As my class is implicit authentication
>>> there is no redirection either.
>>>
>>> I don't understand why this is null, the log message shows:
>>> 2007-06-18 14:31:47,032 INFO
>>> org.dspace.app.webui.servlet.DSpaceServlet @
>>>
>>>
> myuser:session_id=AB51545186B04E419B63AD9FF140C7BF:ip_addr=150.203.2.97:authorize_error:org.dspace.authorize.AuthorizeException:
>
>
>>> Authorization denied for action READ on BITSTREAM:32978 by user 0
>>>
>>> showing that the "myuser" user is the current user (at least in the
>>> logHeader!) but not in the context object.
>>>
>>> Anyone done this before? My code is almost identical to the X509 auth,
>>> the only real difference being where the credentials are taken from.
>>> There are no problems with the credentials or request itself, just
>>> something I'm missing with the auth flow I suspect.
>>>
>>> Scott.
>>>
>>>
>>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> DSpace-tech mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>>
>>
>>
>
>
> - --
> Dott. Andrea Bollini
> Responsabile tecnico sviluppo e formazione applicativi JAVA
> Sezione Servizi per le Biblioteche e l'Editoria Elettronica
> CILEA, http://www.cilea.it
> tel. +39 06-59292831 cel. +39 348-8277525
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGd3sc3atKrZgxpVcRAvZdAJ0T3XF8amIjGv7+daQEp2sI31pmjgCdG003
> gS+l7sDzK8mnEMdrTG+dq5g=
> =otDH
> -----END PGP SIGNATURE-----
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
