details: https://code.openbravo.com/erp/devel/pi/rev/6d6a3a710fd2 changeset: 33656:6d6a3a710fd2 user: Asier Lostalé <asier.lostale <at> openbravo.com> date: Thu Mar 08 12:43:49 2018 +0100 summary: fixed bug 38079: row created in ad_session opening openbravo base url
When serving index.jsp after having served login page in the same browser a new row in ad_session was created. Login page creates a new HttpSession without corresponding ad_session row, index.jsp detected this session and invoked AutenticationManager's authenticate method wihtout user/password creating in this flow that row. Authenticate is invoked for the case a valid session is already present. This case is now covered by ensuring in case there is a HttpSession it also has an ad_session before invoking authenticate. If HttpSession is present but there is no ad_session, the flow stops. details: https://code.openbravo.com/erp/devel/pi/rev/cbec1a26a9f4 changeset: 33657:cbec1a26a9f4 user: Asier Lostalé <asier.lostale <at> openbravo.com> date: Thu Mar 08 16:59:52 2018 +0100 summary: fixed bug 38075: row created in ad_session after Tomcat expires session AuthenticationManger created a new ad_session row when trying to authenticate on an already invalidated session, which occurs on Tomcat session expiration. To prevent this, now ad_session records won't be created for empty username which is triggered by this case. diffstat: src/index.jsp | 5 +++-- src/org/openbravo/authentication/AuthenticationManager.java | 8 +++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diffs (48 lines): diff -r 47ea594cdcbb -r cbec1a26a9f4 src/index.jsp --- a/src/index.jsp Thu Mar 08 15:45:10 2018 +0000 +++ b/src/index.jsp Thu Mar 08 16:59:52 2018 +0100 @@ -39,7 +39,7 @@ * under the License. * The Original Code is Openbravo ERP. * The Initial Developer of the Original Code is Openbravo SLU - * All portions are Copyright (C) 2011-2017 Openbravo SLU + * All portions are Copyright (C) 2011-2018 Openbravo SLU * All Rights Reserved. * Contributor(s): ______________________________________. ************************************************************************ @@ -48,9 +48,10 @@ Logger log = Logger.getLogger(org.openbravo.authentication.AuthenticationManager.class); HttpSession currentSession = request.getSession(false); +boolean adSessionPresent = currentSession != null && currentSession.getAttribute("#AD_SESSION_ID") != null; AuthenticationManager authManager = AuthenticationManager.getAuthenticationManager(this); -if (currentSession == null) { +if (!adSessionPresent) { response.sendRedirect(authManager.getLoginURL(request)); return; } diff -r 47ea594cdcbb -r cbec1a26a9f4 src/org/openbravo/authentication/AuthenticationManager.java --- a/src/org/openbravo/authentication/AuthenticationManager.java Thu Mar 08 15:45:10 2018 +0000 +++ b/src/org/openbravo/authentication/AuthenticationManager.java Thu Mar 08 16:59:52 2018 +0100 @@ -1,6 +1,6 @@ /* ************************************************************************************ - * Copyright (C) 2001-2017 Openbravo S.L.U. + * Copyright (C) 2001-2018 Openbravo S.L.U. * Licensed under the Apache Software License version 2.0 * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 * Unless required by applicable law or agreed to in writing, software distributed @@ -531,6 +531,12 @@ protected final String createDBSession(HttpServletRequest req, String strUser, String strUserAuth, String successSessionType) { try { + if (strUserAuth == null && StringUtils.isEmpty(strUser)) { + // do not create ad_session row for empty user name, this can happen if trying to + // authenticate an invalidated session, no need to reflect it in DB + return null; + } + String usr = strUserAuth == null ? "0" : strUserAuth; final SessionLogin sl = new SessionLogin(req, "0", "0", usr); ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits
