[OpenbravoERP-commits] devel/pi: Fixes issue 27372: Some parts of the KernelServlet sho...

Fri, 22 Aug 2014 00:36:42 -0700 

details:   https://code.openbravo.com/erp/devel/pi/rev/3b2473c7f544
changeset: 24297:3b2473c7f544
user:      Augusto Mauch <augusto.mauch <at> openbravo.com>
date:      Fri Aug 22 09:28:39 2014 +0200
summary:   Fixes issue 27372: Some parts of the KernelServlet should be thread 
safe

The code that handles the forced sessions request counter should be thread 
safe, so it has been moved to a synchronized block.

diffstat:

 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
 |  92 +++++----
 1 files changed, 48 insertions(+), 44 deletions(-)

diffs (151 lines):

diff -r 8df7bdd96f21 -r 3b2473c7f544 
modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
--- 
a/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
    Fri Aug 22 02:17:33 2014 +0000
+++ 
b/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
    Fri Aug 22 09:28:39 2014 +0200
@@ -51,7 +51,7 @@
  */
 public class KernelServlet extends BaseKernelServlet {
   // private static final Logger log = 
Logger.getLogger(DataSourceServlet.class);
-  private static final Logger log4j = Logger.getLogger(KernelServlet.class);
+  private static final Logger log = Logger.getLogger(KernelServlet.class);
 
   // this is needed to support logout deep in the code...
   // TODO: make it easier to get to the authentication manager from
@@ -81,6 +81,48 @@
     return servletPathPart;
   }
 
+  // the inc and dec by passauthentication count must be synchronized
+  // and static, there might be multiple kernelservlets and multiple threads
+  // may use the same kernelservlet
+  // TODO: synchronize on the session object instead of on a static
+  protected static synchronized void 
incBypassAuthenticationCount(HttpServletRequest request) {
+    HttpSession session = request.getSession(true);
+    OBContext context = OBContext.getOBContext();
+    boolean sessionForThisRequest = context == null
+        || session.getAttribute("#Authenticated_user") == null;
+
+    if (sessionForThisRequest) {
+      session.setAttribute("forceLogin", "Y");
+    }
+
+    if (session != null && "Y".equals(session.getAttribute("forceLogin"))) {
+      // session has been created to retrieve a non authenticated component, 
it might be several
+      // non authenticated components sharing the same session, count them to 
invalidate the
+      // session after all of them are done
+      Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
+      if (count == null || count == 0) {
+        count = 1;
+      } else {
+        count += 1;
+      }
+      session.setAttribute("forcedSessionsRequestCount", count);
+    }
+  }
+
+  protected static synchronized void decBypassAuthenticationCount(HttpSession 
session) {
+    if (session != null && "Y".equals(session.getAttribute("forceLogin"))) {
+      Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
+      count = (count != null ? count : 0) - 1;
+
+      if (count <= 0) {
+        session.invalidate();
+        log.debug("Invalidating session created for bypass authentication 
elements");
+      } else {
+        session.setAttribute("forcedSessionsRequestCount", count);
+      }
+    }
+  }
+
   @Inject
   @Any
   private Instance<ComponentProvider> componentProviders;
@@ -97,7 +139,6 @@
   public void service(final HttpServletRequest request, HttpServletResponse 
response)
       throws ServletException, IOException {
 
-    boolean sessionForThisRequest = false;
     boolean bypassAuthentication = false;
 
     final String action = 
request.getParameter(KernelConstants.ACTION_PARAMETER);
@@ -106,34 +147,7 @@
 
       if (component instanceof BaseComponent && ((BaseComponent) 
component).bypassAuthentication()) {
         bypassAuthentication = true;
-        OBContext context = OBContext.getOBContext();
-
-        sessionForThisRequest = context == null
-            || request.getSession().getAttribute("#Authenticated_user") == 
null;
-
-        HttpSession session = request.getSession(true);
-        if (sessionForThisRequest) {
-          // creating session for this request marked as forceLogin
-          session = request.getSession(true);
-          session.setAttribute("forceLogin", "Y");
-        } else {
-          // there is already a session, don't touch it
-          session = request.getSession(false);
-        }
-
-        if (session != null && "Y".equals(session.getAttribute("forceLogin"))) 
{
-          // session has been created to retrieve a non authenticated 
component, it might be several
-          // non authenticated components sharing the same session, count them 
to invalidate the
-          // session after all of them are done
-          Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
-          if (count == null || count == 0) {
-            count = 1;
-          } else {
-            count += 1;
-          }
-          session.setAttribute("forcedSessionsRequestCount", count);
-        }
-
+        incBypassAuthenticationCount(request);
       }
     }
 
@@ -141,17 +155,7 @@
 
     if (bypassAuthentication) {
       HttpSession session = request.getSession(false);
-      if (session != null && "Y".equals(session.getAttribute("forceLogin"))) {
-        Integer count = (Integer) 
session.getAttribute("forcedSessionsRequestCount");
-        count = (count != null ? count : 0) - 1;
-
-        if (count <= 0) {
-          session.invalidate();
-          log4j.debug("Invalidating session created for bypass authentication 
elements");
-        } else {
-          session.setAttribute("forcedSessionsRequestCount", count);
-        }
-      }
+      decBypassAuthenticationCount(session);
     }
   }
 
@@ -229,7 +233,7 @@
       pw.write(result);
       pw.close();
     } catch (Exception e) {
-      log4j.error(e.getMessage(), e);
+      log.error(e.getMessage(), e);
       if (!response.isCommitted()) {
         response.setContentType(KernelConstants.JAVASCRIPT_CONTENTTYPE);
         response.setHeader(RESPONSE_HEADER_CONTENTTYPE, 
KernelConstants.JAVASCRIPT_CONTENTTYPE);
@@ -261,7 +265,7 @@
 
       if (OBContext.getOBContext() != null && 
OBContext.getOBContext().isPortalRole()) {
         if (!(actionHandler instanceof PortalAccessible)) {
-          log4j.error("Portal user " + OBContext.getOBContext().getUser() + " 
with role "
+          log.error("Portal user " + OBContext.getOBContext().getUser() + " 
with role "
               + OBContext.getOBContext().getRole()
               + " is trying to access to non granted action handler " + 
request.getRequestURL()
               + "?" + request.getQueryString());
@@ -271,7 +275,7 @@
 
       actionHandler.execute();
     } catch (Exception e) {
-      log4j.error("Error executing action " + action + " error: " + 
e.getMessage(), e);
+      log.error("Error executing action " + action + " error: " + 
e.getMessage(), e);
       if (!response.isCommitted()) {
         response.setContentType(KernelConstants.JAVASCRIPT_CONTENTTYPE);
         response.setHeader(RESPONSE_HEADER_CONTENTTYPE, 
KernelConstants.JAVASCRIPT_CONTENTTYPE);

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Openbravo-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

Reply via email to