There is no problem redirecting to the original request after successful
login. This is done all the time. There is no reason to save anything
in the session to achieve this. You can write your own LoginUser action
and plug it in in TR.props (or simply name it the same and list your app
actions before the turbine default modules). It is a good idea to
invalidate the session when a user changes identities.
john mcnally
Yanxia Liu wrote:
>
> Let me get down to the specifics:
>
> ==========================================================================
> Turbine.doGet:
>
> // Seletes all the objects bound to session
> // or invalidates the session (which is a better aproach).
> // QUESTION: This makes saving the previous request impossible, so why do
> this?
>
> //...
> if
> (data.getAction().equalsIgnoreCase(TurbineResources.getString("action.login"
> )))
> {
> String[] names = data.getSession().getValueNames();
> if (names != null) {
> for (int i=0; i< names.length; i++) {
> data.getSession().removeValue(names[i]);
> }
> }
> }
> ActionLoader.getInstance().exec ( data, data.getAction() );
> data.setAction(null);
> //...
>
> ===========================================================================
> LoginUser.doPerform:
> // if there's already a valid user object in the session, return.
> // QUESTION: Is this the only reason why session is cleaned up?
> // QUESTION: Then why is it here in the first place?
> // In the code comment, "This prevents a db hit on second Action call
> // during page generation.". Meaning second LoginUser action call?
> // But the action is set to 'null' after LoginUser is executed,
> // so Page no longer has any Action to execute after successful login.
>
> //...
> if ( data.getUserFromSession() != null )
> {
> return;
> }
> //...
>
> I guess these are my questions to be exact.
>
> My suggestion is to:
> 1. delete the above code in LoginUser.doPerform
> 2. remove the code that "invalidates" the session
> 3. save the previous request - Action and Screen Template in session and
> restore it after a successful login. Some changes may have to go into
> SessionValidator.
>
> Thanks,
>
> Yanxia
>
> -----Original Message-----
> From: Yanxia Liu [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 14, 2001 10:54 AM
> To: [EMAIL PROTECTED]
> Subject: Question on Turbine Authentication
>
> Hi,
>
> It seems to be a standard practice to save a user's previous request before
> redirecting her to a login page. Then after the user has correctly logged
> in, the page she originally requested is displayed. In the case of Turbine,
> any 'action' or 'template' requested would be executed after the login.
>
> Why doesn't Turbine not support this? Is there a security reason behind
> this? In other words, is it true that doing this would create a security
> hole in the system using current Turbine framework?
>
> Thanks very much in advance!
>
> Yanxia
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
