[Engine-patches] Change in ovirt-engine[engine_3.2]: restapi: Omit of prefer header doesn't turn off session base...

Sun, 03 Mar 2013 05:31:30 -0800 

Hello Oved Ourfali,

I'd like you to do a code review.  Please visit

    http://gerrit.ovirt.org/12588

to review the following change.

Change subject: restapi: Omit of prefer header doesn't turn off session based 
authentication #916582
......................................................................

restapi: Omit of prefer header doesn't turn off session based authentication 
#916582

This patch makes sure we take the http session in case it exists, even
if the prefer auth header isn't set.
That way, the last request without the prefer header will succeed, and
then we would log out. Also, the first request with the prefer header
will create a new session, as expected. Requests without the prefer
header will not create a session, and no cookie will be returned.

Change-Id: Ie61285212c4050bc6dc2c744b3d281648ea542ca
Bug-Url: https://bugzilla.redhat.com/916582
Signed-off-by: Oved Ourfali <[email protected]>
---
M 
backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
1 file changed, 4 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/88/12588/1

diff --git 
a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
 
b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
index bdfddef..8fc9fe1 100644
--- 
a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
+++ 
b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
@@ -84,10 +84,10 @@
         boolean preferPersistentAuth = checkPersistentAuthentication(headers);
         boolean hasAuthorizationHeader = checkAuthorizationHeader(headers);
 
-        if (preferPersistentAuth) {
-            // Will create a new one if it is the first session, and then the 
"isNew" test below will return true
-            httpSession = getCurrentSession(true);
-        }
+        // Will create a new one if it is the first session, and we want to 
persist sessions
+        // (and then the "isNew" test below will return true)
+        // Otherwise, it will return null
+        httpSession = getCurrentSession(preferPersistentAuth);
 
         // If the session isn't new and doesn't carry authorization header, we 
validate it
         if (validator != null && httpSession != null && !httpSession.isNew() 
&& !hasAuthorizationHeader) {


--
To view, visit http://gerrit.ovirt.org/12588
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie61285212c4050bc6dc2c744b3d281648ea542ca
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: engine_3.2
Gerrit-Owner: Michael Pasternak <[email protected]>
Gerrit-Reviewer: Oved Ourfali <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to