Hi John,
Thank you very much for your kind and patient answer! I do have a few more
questions that I dare not to post any more. I'd like to steal a few minutes
from you if I may to discuss them (I'll be very explicit):
After a user submits the following request before logging in:
http://localhost:8080/turbineapp/action/OpenSecurePage/template/SecurePage.v
m
Turbine.doGet:
1. The request is redirected by having a 'redirected="true"' added to its
path and resent.
2. When the redirected request comes back, 'redirected="true"' is removed
from its pathinfo and redirected back to the original URL, which is the
above URL.
Question: Why is the above redirect necessary?
3. Session Validator is executed (among other things). If a
SecureSessionValidator is chosen, it checks to see if the user has logged
in. If not, Screen Template is set to 'login.vm' for example and Action is
set to 'null'.
Question: Add the parameters of the previous request to the pathinfo here?
4. Then Page is executed. Page will first look for an Action to execute,
since the action was set to 'null'. So it'll skip to execute Layout (if
there's one) or Screen, which will use the Screeen Template set previously,
login.vm. Therefore, the login page instead of SecurePage page is built and
sent back to client.
Question: Make page first check to see if there's any "prev_template" and/or
"prev_action" parameter(s) in the request. If yes, execute "prev_action"
and use the screen template specified in "prev_template"? So After step 5,
previous request can be restored.
After user fills in her username and password, and clicks "login" button. A
new request with Action, "LoginUser" is submitted.
5. Executes LoginUser Action...
If this sounds too stupid, I apologize in advance!
Thank you very much for your time!
Yanxia
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of John McNally
Sent: Tuesday, August 14, 2001 2:21 PM
To: [EMAIL PROTECTED]
Subject: Re: Question on Turbine Authentication
There is no problem redirecting to the original request after successful
login. This is done all the time. There is no reason to save anything
in the session to achieve this. You can write your own LoginUser action
and plug it in in TR.props (or simply name it the same and list your app
actions before the turbine default modules). It is a good idea to
invalidate the session when a user changes identities.
john mcnally
Yanxia Liu wrote:
>
> Let me get down to the specifics:
>
> ==========================================================================
> Turbine.doGet:
>
> // Seletes all the objects bound to session
> // or invalidates the session (which is a better aproach).
> // QUESTION: This makes saving the previous request impossible, so why do
> this?
>
> //...
> if
>
(data.getAction().equalsIgnoreCase(TurbineResources.getString("action.login"
> )))
> {
> String[] names = data.getSession().getValueNames();
> if (names != null) {
> for (int i=0; i< names.length; i++) {
> data.getSession().removeValue(names[i]);
> }
> }
> }
> ActionLoader.getInstance().exec ( data, data.getAction() );
> data.setAction(null);
> //...
>
>
===========================================================================
> LoginUser.doPerform:
> // if there's already a valid user object in the session, return.
> // QUESTION: Is this the only reason why session is cleaned up?
> // QUESTION: Then why is it here in the first place?
> // In the code comment, "This prevents a db hit on second Action call
> // during page generation.". Meaning second LoginUser action call?
> // But the action is set to 'null' after LoginUser is executed,
> // so Page no longer has any Action to execute after successful login.
>
> //...
> if ( data.getUserFromSession() != null )
> {
> return;
> }
> //...
>
> I guess these are my questions to be exact.
>
> My suggestion is to:
> 1. delete the above code in LoginUser.doPerform
> 2. remove the code that "invalidates" the session
> 3. save the previous request - Action and Screen Template in session and
> restore it after a successful login. Some changes may have to go into
> SessionValidator.
>
> Thanks,
>
> Yanxia
>
> -----Original Message-----
> From: Yanxia Liu [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 14, 2001 10:54 AM
> To: [EMAIL PROTECTED]
> Subject: Question on Turbine Authentication
>
> Hi,
>
> It seems to be a standard practice to save a user's previous request
before
> redirecting her to a login page. Then after the user has correctly logged
> in, the page she originally requested is displayed. In the case of
Turbine,
> any 'action' or 'template' requested would be executed after the login.
>
> Why doesn't Turbine not support this? Is there a security reason behind
> this? In other words, is it true that doing this would create a security
> hole in the system using current Turbine framework?
>
> Thanks very much in advance!
>
> Yanxia
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
