NIHVIVO-1814 A login remains in process only if the login widget is reached via the Authenticate servlet. Any other way of reaching the widget means we start over.
This commit is contained in:
jeb228
parent
241848ad9e
commit
281d2de68f
3 changed files with 67 additions and 37 deletions
|
|
@ -0,0 +1,54 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
/**
|
||||
* This sits in the session to say that a login is in process.
|
||||
*
|
||||
* Authenticate sets the flag each time it redirects to the login widget, and
|
||||
* the login widget inspects the flag and resets it.
|
||||
*
|
||||
* If ever the login widget finds that the flag is already reset, it knows that
|
||||
* the user navigated to the widget directly, rather than coming through
|
||||
* Authenticate, and so it discards any existing LoginProcessBean as obsolete.
|
||||
*/
|
||||
public class LoginInProcessFlag {
|
||||
private static final String ATTRIBUTE_NAME = LoginInProcessFlag.class
|
||||
.getName();
|
||||
|
||||
/**
|
||||
* Set the flag, saying that a login session is in process.
|
||||
*/
|
||||
public static void set(HttpServletRequest request) {
|
||||
if (request == null) {
|
||||
throw new NullPointerException("request may not be null.");
|
||||
}
|
||||
|
||||
request.getSession().setAttribute(ATTRIBUTE_NAME, Boolean.TRUE);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check to see whether the flag is set. Reset it.
|
||||
*/
|
||||
public static boolean checkAndReset(HttpServletRequest request) {
|
||||
if (request == null) {
|
||||
throw new NullPointerException("request may not be null.");
|
||||
}
|
||||
|
||||
HttpSession session = request.getSession(false);
|
||||
if (session == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
Object flag = session.getAttribute(ATTRIBUTE_NAME);
|
||||
if (flag == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
session.removeAttribute(ATTRIBUTE_NAME);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -34,6 +34,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
|
|||
import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginInProcessFlag;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginRedirector;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.Message;
|
||||
|
|
@ -475,6 +476,8 @@ public class Authenticate extends VitroHttpServlet {
|
|||
throws IOException {
|
||||
log.debug("logging in.");
|
||||
|
||||
LoginInProcessFlag.set(vreq);
|
||||
|
||||
String loginProcessPage = LoginProcessBean.getBean(vreq)
|
||||
.getLoginPageUrl();
|
||||
response.sendRedirect(loginProcessPage);
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ import org.apache.commons.logging.LogFactory;
|
|||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.ConfigurationProperties;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginInProcessFlag;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.Route;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
|
||||
|
|
@ -189,47 +190,19 @@ public class LoginWidget extends Widget {
|
|||
}
|
||||
|
||||
/**
|
||||
* A LoginProcessBean is outdated if we have come from a page other than
|
||||
* this one.
|
||||
* A LoginProcessBean is outdated unless the the "in-process" flag is set in the
|
||||
* session.
|
||||
*
|
||||
* If we can't be certain, assume that the bean is not outdated.
|
||||
* Each time we hit Authenticate, the flag is set, and each time
|
||||
* we draw the widget it is reset.
|
||||
*/
|
||||
private boolean isOutdatedLoginProcessBean(HttpServletRequest request) {
|
||||
// If there is no bean, it is not outdated.
|
||||
if (!LoginProcessBean.isBean(request)) {
|
||||
return false;
|
||||
boolean inProcess = LoginInProcessFlag.checkAndReset(request);
|
||||
if (!inProcess) {
|
||||
log.debug("The process bean is outdated. Discard it.");
|
||||
}
|
||||
|
||||
String referrer = request.getHeader("referer");
|
||||
|
||||
// They don't say where they were, assume they were here.
|
||||
if ((referrer == null) || (referrer.isEmpty())) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If the referrer equals the request, they were here.
|
||||
String requestURL = request.getRequestURL().toString();
|
||||
if (referrer.equals(requestURL)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// RFC2616 says that the referrer might be relative to the request.
|
||||
// Translate to absolute, and test if they were here.
|
||||
try {
|
||||
String absoluteReferrer = new URL(new URL(requestURL), referrer)
|
||||
.toString();
|
||||
if (absoluteReferrer.equals(requestURL)) {
|
||||
return false;
|
||||
}
|
||||
} catch (MalformedURLException e) {
|
||||
log.warn("Problems trying to resolve a relative referrer: requestURL = '"
|
||||
+ requestURL + "', referrer = '" + referrer + "'" + e);
|
||||
return false;
|
||||
}
|
||||
|
||||
// The referrer is not equal to the request, so they came from somewhere
|
||||
// else.
|
||||
return true;
|
||||
|
||||
return !inProcess;
|
||||
}
|
||||
|
||||
/** What's the URL for this servlet? */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue