diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginInProcessFlag.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginInProcessFlag.java new file mode 100644 index 000000000..04f583a59 --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginInProcessFlag.java @@ -0,0 +1,54 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.controller.authenticate; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; + +/** + * This sits in the session to say that a login is in process. + * + * Authenticate sets the flag each time it redirects to the login widget, and + * the login widget inspects the flag and resets it. + * + * If ever the login widget finds that the flag is already reset, it knows that + * the user navigated to the widget directly, rather than coming through + * Authenticate, and so it discards any existing LoginProcessBean as obsolete. + */ +public class LoginInProcessFlag { + private static final String ATTRIBUTE_NAME = LoginInProcessFlag.class + .getName(); + + /** + * Set the flag, saying that a login session is in process. + */ + public static void set(HttpServletRequest request) { + if (request == null) { + throw new NullPointerException("request may not be null."); + } + + request.getSession().setAttribute(ATTRIBUTE_NAME, Boolean.TRUE); + } + + /** + * Check to see whether the flag is set. Reset it. + */ + public static boolean checkAndReset(HttpServletRequest request) { + if (request == null) { + throw new NullPointerException("request may not be null."); + } + + HttpSession session = request.getSession(false); + if (session == null) { + return false; + } + + Object flag = session.getAttribute(ATTRIBUTE_NAME); + if (flag == null) { + return false; + } + + session.removeAttribute(ATTRIBUTE_NAME); + return true; + } +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java index 9c70bdc71..34913c4c2 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java @@ -34,6 +34,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator; +import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginInProcessFlag; import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginRedirector; import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean; import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.Message; @@ -475,6 +476,8 @@ public class Authenticate extends VitroHttpServlet { throws IOException { log.debug("logging in."); + LoginInProcessFlag.set(vreq); + String loginProcessPage = LoginProcessBean.getBean(vreq) .getLoginPageUrl(); response.sendRedirect(loginProcessPage); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/widgets/LoginWidget.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/widgets/LoginWidget.java index 589be80ec..5bd3c0a6c 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/widgets/LoginWidget.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/widgets/LoginWidget.java @@ -15,6 +15,7 @@ import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; import edu.cornell.mannlib.vitro.webapp.ConfigurationProperties; +import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginInProcessFlag; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.Route; import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean; @@ -189,47 +190,19 @@ public class LoginWidget extends Widget { } /** - * A LoginProcessBean is outdated if we have come from a page other than - * this one. + * A LoginProcessBean is outdated unless the the "in-process" flag is set in the + * session. * - * If we can't be certain, assume that the bean is not outdated. + * Each time we hit Authenticate, the flag is set, and each time + * we draw the widget it is reset. */ private boolean isOutdatedLoginProcessBean(HttpServletRequest request) { - // If there is no bean, it is not outdated. - if (!LoginProcessBean.isBean(request)) { - return false; + boolean inProcess = LoginInProcessFlag.checkAndReset(request); + if (!inProcess) { + log.debug("The process bean is outdated. Discard it."); } - - String referrer = request.getHeader("referer"); - - // They don't say where they were, assume they were here. - if ((referrer == null) || (referrer.isEmpty())) { - return false; - } - - // If the referrer equals the request, they were here. - String requestURL = request.getRequestURL().toString(); - if (referrer.equals(requestURL)) { - return false; - } - - // RFC2616 says that the referrer might be relative to the request. - // Translate to absolute, and test if they were here. - try { - String absoluteReferrer = new URL(new URL(requestURL), referrer) - .toString(); - if (absoluteReferrer.equals(requestURL)) { - return false; - } - } catch (MalformedURLException e) { - log.warn("Problems trying to resolve a relative referrer: requestURL = '" - + requestURL + "', referrer = '" + referrer + "'" + e); - return false; - } - - // The referrer is not equal to the request, so they came from somewhere - // else. - return true; + + return !inProcess; } /** What's the URL for this servlet? */