[jira] [Created] (OFBIZ-4256) after session timeout, ajax popup dialogbox shows ofbiz login screen

after session timeout, ajax popup dialogbox shows ofbiz login screen
--------------------------------------------------------------------

                 Key: OFBIZ-4256
                 URL: https://issues.apache.org/jira/browse/OFBIZ-4256
             Project: OFBiz
          Issue Type: Bug
          Components: ALL APPLICATIONS
    Affects Versions: SVN trunk
            Reporter: Wai


Take the following page (for example) https://localhost/content/control/findContent

field "Data Resource Id" has an icon beside it that creates an ajax dialog pop up.  If the session has already timed out.  The dialog box would show the login screen.

I suspect that all pages containing this functionality would exhibit the same symptom.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

     [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp reassigned OFBIZ-4256:
--------------------------------------

    Assignee: Sascha Rodekamp

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028664#comment-13028664 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

Hi Wai,
we fixed this it once, but maybe something broke it. I'll follow up with this.
Thanks for reporting!

Have a good day
Sascha

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028711#comment-13028711 ]

Jacques Le Roux commented on OFBIZ-4256:
----------------------------------------

Wai,

Which Release.revision? Maybe, as Sascha said, it's alreadsy fixed and you use an older version...

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028767#comment-13028767 ]

Adrian Crum commented on OFBIZ-4256:
------------------------------------

Look for the request URI that the popup calls to populate its window. Find that request's request-map entry in controller.xml and make sure the security element has auth set to false.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028834#comment-13028834 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

Hey Adrian when setting auth to false every user (if logged in or not) can directly call the lookup (i.e. https://localhost:8443/example/control/LookupGeoName) and can see the data which a presented in the lookup. I would not recommend that :-)

Some month ago i implement a redirect if the session is timed out. The user will be directed to the "normal" login page. That works in my local copy.
So it's interesting which version you use @Wai.
Maybe there is an improvement for my first solution, i'll check that.




--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028838#comment-13028838 ]

Adrian Crum commented on OFBIZ-4256:
------------------------------------

Sascha,

The approach I described is used in a number of Ajax requests already - just take a look at some of the current Ajax requests. If the user isn't logged in, the Ajax request will return an empty response.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028845#comment-13028845 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

Jep that's right, but that don't work for lookups. Because when you call the direct request to the lookup page (https://localhost:8443/example/control/LookupGeoName) the direct request doesn't use AJAX itself.
Only the lookup code (in the lookup.js) call the lookup content via an Ajax request. The direct request only returns the HTML for the lookup window and for that request we have to check if a user is looked in or not, haven't we?




--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028838#comment-13028838 ]

Adrian Crum edited comment on OFBIZ-4256 at 5/4/11 5:39 PM:
------------------------------------------------------------

Sascha,

The approach I described is used in a number of Ajax requests already - just take a look at some of the current Ajax requests. If the user isn't logged in, the Ajax request will return an empty response.

Take a look at Find Fixed Assets: FixedAssetScreens.xml#ListFixedAssets and FixedAssetScreens.xml#FixedAssetSearchResults.


      was (Author: [hidden email]):
    Sascha,

The approach I described is used in a number of Ajax requests already - just take a look at some of the current Ajax requests. If the user isn't logged in, the Ajax request will return an empty response.

 
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028856#comment-13028856 ]

Adrian Crum commented on OFBIZ-4256:
------------------------------------

Sascha,

I just edited my previous comment to include an example.

To summarize:

A screen that uses Ajax should separate its Ajax sections from the regular request sections. The Ajax sections are their own screens that perform permission checking and do nothing if the permission check fails (or the user isn't logged in). Those Ajax screens are then mapped to requests that have auth set to false.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028862#comment-13028862 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

Ah jap got your point :) But therefore i have to made a few changes in the lookup screens/ decorator. I think i will follow this way (thanks for the hint)

Nevertheless if a session is expired i would like to direct the user to the login page, opening a white lookup might be not the best for the usability (the user don't now hat's going on.... Just a thought.



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028869#comment-13028869 ]

Adrian Crum commented on OFBIZ-4256:
------------------------------------

Personally, I don't see a problem with having the login prompt appear in a lookup screen. I believe that has been the lookup screen behavior all along. An alternative would be to have some kind of standard Ajax request response text like "Unable to complete request - session has timed out" or "Unable to complete request - user is not logged in" instead of an empty response.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13028874#comment-13028874 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

Jap that sounds good. Login screens in lookup windows are not a problem but don't look nice :)
Ok i'll look for a good generic solution.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

     [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp updated OFBIZ-4256:
-----------------------------------

    Attachment: OFBIZ-4256_ajaxtimeoutfix.patch

Hi Adrian,
i created a patch for this issue. It would be great if you can have a quick look before a commit it.

The solution is simple.
If the session is timed out i check in the request handler weather it is an ajax request or not.
If it is an ajax request i don't return the normal "checkLogin" request, i return a a special ajaxCheckLogin request. This request can point to an site which shows the "Please Login Hint".

What do you think?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13029948#comment-13029948 ]

Adrian Crum commented on OFBIZ-4256:
------------------------------------

How does the request handler know that a request is an "ajax request"? If you look at the example I gave, there is nothing special about the request.

Using the Find Fixed Assets example, instead of the FixedAssetSearchResults screen doing nothing if the user isn't logged in, it would return some text like "Unable to complete request - user is not logged in."


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

    [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13030032#comment-13030032 ]

Sascha Rodekamp commented on OFBIZ-4256:
----------------------------------------

The information comes from the request header if the X-Requested-With contains XMLHttpRequest we haven an ajax request.

Your right, but you working with permissions and without the auth option.
That is of course an alternative but my intention was not to add permission checks to each lookup, in my opinion it's more generic to differentiate in the request handler. Than a developers haven't to think of weather using an ajax or another request.



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

     [ https://issues.apache.org/jira/browse/OFBIZ-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sascha Rodekamp closed OFBIZ-4256.
----------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk

The Patch is in Rev: 1102615

Have a good day
Sascha

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira