Let me get down to the specifics:
==========================================================================
Turbine.doGet:
// Seletes all the objects bound to session
// or invalidates the session (which is a better aproach).
// QUESTION: This makes saving the previous request impossible, so why do
this?
//...
if
(data.getAction().equalsIgnoreCase(TurbineResources.getString("action.login"
)))
{
String[] names = data.getSession().getValueNames();
if (names != null) {
for (int i=0; i< names.length; i++) {
data.getSession().removeValue(names[i]);
}
}
}
ActionLoader.getInstance().exec ( data, data.getAction() );
data.setAction(null);
//...
===========================================================================
LoginUser.doPerform:
// if there's already a valid user object in the session, return.
// QUESTION: Is this the only reason why session is cleaned up?
// QUESTION: Then why is it here in the first place?
// In the code comment, "This prevents a db hit on second Action call
// during page generation.". Meaning second LoginUser action call?
// But the action is set to 'null' after LoginUser is executed,
// so Page no longer has any Action to execute after successful login.
//...
if ( data.getUserFromSession() != null )
{
return;
}
//...
I guess these are my questions to be exact.
My suggestion is to:
1. delete the above code in LoginUser.doPerform
2. remove the code that "invalidates" the session
3. save the previous request - Action and Screen Template in session and
restore it after a successful login. Some changes may have to go into
SessionValidator.
Thanks,
Yanxia
-----Original Message-----
From: Yanxia Liu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 10:54 AM
To: [EMAIL PROTECTED]
Subject: Question on Turbine Authentication
Hi,
It seems to be a standard practice to save a user's previous request before
redirecting her to a login page. Then after the user has correctly logged
in, the page she originally requested is displayed. In the case of Turbine,
any 'action' or 'template' requested would be executed after the login.
Why doesn't Turbine not support this? Is there a security reason behind
this? In other words, is it true that doing this would create a security
hole in the system using current Turbine framework?
Thanks very much in advance!
Yanxia
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
