[OpenbravoERP-commits] devel/pi: 2 new changesets

Thu, 21 Feb 2013 01:54:52 -0800 

details:   https://code.openbravo.com/erp/devel/pi/rev/be6198a5f205
changeset: 19764:be6198a5f205
user:      Asier Lostalé <asier.lostale <at> openbravo.com>
date:      Thu Feb 21 10:40:09 2013 +0100
summary:   fixed issue 23134: StyleSheet components should bypass authentication

details:   https://code.openbravo.com/erp/devel/pi/rev/0d32601d0243
changeset: 19765:0d32601d0243
user:      Asier Lostalé <asier.lostale <at> openbravo.com>
date:      Thu Feb 21 10:43:08 2013 +0100
summary:   fixed issue 23135: Bypass authentication resources create sessions

diffstat:

 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
               |  51 +++++++++-
 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/StyleSheetResourceComponent.java
 |   7 +-
 src/org/openbravo/base/secureApp/HttpSecureAppServlet.java                     
                      |   9 +-
 3 files changed, 63 insertions(+), 4 deletions(-)

diffs (129 lines):

diff -r a26f66513343 -r 0d32601d0243 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
--- 
a/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
    Fri Mar 01 10:39:09 2013 +0100
+++ 
b/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
    Thu Feb 21 10:43:08 2013 +0100
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2009-2012 Openbravo SLU 
+ * All portions are Copyright (C) 2009-2013 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -32,6 +32,7 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.openbravo.base.ConfigParameters;
@@ -94,14 +95,60 @@
   public void service(final HttpServletRequest request, HttpServletResponse 
response)
       throws ServletException, IOException {
 
+    boolean sessionForThisRequest = false;
+    boolean bypassAuthentication = false;
+
     final String action = 
request.getParameter(KernelConstants.ACTION_PARAMETER);
     if (action == null) {
       Component component = getComponent(request);
+
       if (component instanceof BaseComponent && ((BaseComponent) 
component).bypassAuthentication()) {
-        request.getSession().setAttribute("forceLogin", "Y");
+        bypassAuthentication = true;
+        OBContext context = OBContext.getOBContext();
+        sessionForThisRequest = context == null;
+
+        HttpSession session = request.getSession(true);
+        if (sessionForThisRequest) {
+          // creating session for this request marked as forceLogin
+          session = request.getSession(true);
+          session.setAttribute("forceLogin", "Y");
+        } else {
+          // there is already a session, don't touch it
+          session = request.getSession(false);
+        }
+
+        if (session != null && "Y".equals(session.getAttribute("forceLogin"))) 
{
+          // session has been created to retrieve a non authenticated 
component, it might be several
+          // non authenticated components sharing the same session, count them 
to invalidate the
+          // session after all of them are done
+          Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
+          if (count == null || count == 0) {
+            count = 1;
+          } else {
+            count += 1;
+          }
+          session.setAttribute("forcedSessionsRequestCount", count);
+        }
+
       }
     }
+
     super.service(request, response);
+
+    if (bypassAuthentication) {
+      HttpSession session = request.getSession(false);
+      if (session != null && "Y".equals(session.getAttribute("forceLogin"))) {
+        Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
+        count = (count != null ? count : 0) - 1;
+
+        if (count <= 0) {
+          session.invalidate();
+          log4j.info("Invalidating session created for bypass authentication 
elements");
+        } else {
+          session.setAttribute("forcedSessionsRequestCount", count);
+        }
+      }
+    }
   }
 
   @Override
diff -r a26f66513343 -r 0d32601d0243 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/StyleSheetResourceComponent.java
--- 
a/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/StyleSheetResourceComponent.java
      Fri Mar 01 10:39:09 2013 +0100
+++ 
b/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/StyleSheetResourceComponent.java
      Thu Feb 21 10:43:08 2013 +0100
@@ -11,7 +11,7 @@
  * under the License.
  * The Original Code is Openbravo ERP.
  * The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2010-2012 Openbravo SLU
+ * All portions are Copyright (C) 2010-2013 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -247,4 +247,9 @@
     }
     return "";
   }
+
+  @Override
+  public boolean bypassAuthentication() {
+    return true;
+  }
 }
diff -r a26f66513343 -r 0d32601d0243 
src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
--- a/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java        Fri Mar 
01 10:39:09 2013 +0100
+++ b/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java        Thu Feb 
21 10:43:08 2013 +0100
@@ -1,6 +1,6 @@
 /*
  
************************************************************************************
- * Copyright (C) 2001-2012 Openbravo S.L.U.
+ * Copyright (C) 2001-2013 Openbravo S.L.U.
  * Licensed under the Apache Software License version 2.0
  * You may obtain a copy of the License at 
http://www.apache.org/licenses/LICENSE-2.0
  * Unless required by applicable law or agreed to  in writing,  software  
distributed
@@ -1145,6 +1145,13 @@
 
   private void saveLoginBD(HttpServletRequest request, VariablesSecureApp 
vars, String strCliente,
       String strOrganizacion) throws ServletException {
+
+    if ("Y".equals(request.getSession().getAttribute("forceLogin"))) {
+      // don't create a DB session for bypass authentication resources
+      log4j.debug("Bypass session " + request.getRequestURI());
+      return;
+    }
+
     final SessionLogin sl = new SessionLogin(request, strCliente, 
strOrganizacion,
         vars.getSessionValue("#AD_User_ID"));
 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

Reply via email to