OFBiz OFBiz - Commits

[ofbiz-framework] branch release18.12 updated: Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1ed018c  Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)
1ed018c is described below

commit 1ed018c677836b4eebb1ba82da8a12ee983474a4
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Feb 13 12:29:02 2021 +0100

    Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)
   
    After some small study, it seem there is a problem because login request not
    require authentication
   
    I have tried to add a test to check if current request is login and only if it's
    not to remove PREVIOUS_REQUEST Session Attribute, it seem better with this
    modification.
   
    Thanks: Olivier for the patch and Michael for suggesting to parameterize using
    a property. I simply used EntityUtilProperties.getPropertyValue instead of
    UtilProperties.getPropertyValue
   
    Conflicts: handled by hand
     framework/security/config/security.properties
---
 framework/security/config/security.properties               |  6 +++++-
 .../org/apache/ofbiz/webapp/control/RequestHandler.java     | 13 +++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index a5159f7..6ee20ea 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -184,7 +184,7 @@ templateClassResolver=
 #--
 #-- If you want to get more image formats then use imageJ:
 #-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here
-#-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lu [...]
+#-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lu [...]
 #--
 #-- PDFBox and PDFReader are used for PDF files
 #--
@@ -195,3 +195,7 @@ templateClassResolver=
 #-- people may like to allow more than what is allowed OOTB
 #-- As it name says, allowAllUploads opens all possibilities
 allowAllUploads=
+
+#-- uri used for login (cf jira OFBIZ-12047)
+#-- it's a list, each uri should be separated by comma, without space
+login.uris=login
\ No newline at end of file
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index e2cc912..8490af0 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -502,8 +502,17 @@ public class RequestHandler {
                 }
             }
         } else {
-            // Remove previous request attribute on navigation to non-authenticated request
-            request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            String[] loginUris = EntityUtilProperties.getPropertyValue("security", "login.uris", delegator).split(",");
+            boolean removePreviousRequest = true;
+            for (int i = 0; i < loginUris.length; i++) {
+                if (requestUri.equals(loginUris[i])) {
+                    removePreviousRequest = false;
+                }
+            }
+            if (removePreviousRequest) {
+                // Remove previous request attribute on navigation to non-authenticated request
+                request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            }
         }
 
         if (request.getAttribute("targetRequestUri") == null) {

Free forum by Nabble Edit this page