svn commit: r1824805 - in /ofbiz/branches/release16.11: ./ framework/base/dtd/ framework/base/src/main/java/org/apache/ofbiz/base/component/ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1824805 - in /ofbiz/branches/release16.11: ./ framework/base/dtd/ framework/base/src/main/java/org/apache/ofbiz/base/component/ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/

jleroux@apache.org
Author: jleroux
Date: Mon Feb 19 19:25:37 2018
New Revision: 1824805

URL: http://svn.apache.org/viewvc?rev=1824805&view=rev
Log:
"Applied fix from trunk framework for revision: 1824803  "
------------------------------------------------------------------------
r1824803 | jleroux | 2018-02-19 20:23:36 +0100 (lun., 19 févr. 2018) | 18 lines

Fixed: Logout do not remove autoLogin
(OFBIZ-4959)

Logout method do not disable autoLogin functionality.
Instead of that it just initializes autoLogin in session and request.

jleroux: this was also needed by OFBIZ-10206 "Security issue in Token Based
Authentication".
This creates a keep-autologin-cookie boolean attribute in the webapp element of
the  ofbiz-component.xml, documented in ofbiz-component.xsd
This attribute is used to get the value from the ofbiz-component.xml files in a
new autoLogoutCleanCookies() LoginWorker method? This method is used not only
when login out but also when login in? This to be sure that in every cases the
cookies related to the webapps not keeping it are removed.
For now only the ecommerce, ecomseo et webpos webapps are keeping and using
their autologin cookies

Thanks: Roberto Benítez Monje for report and Taher for discussion and suggestion
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/framework/base/dtd/ofbiz-component.xsd
    ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
    ofbiz/branches/release16.11/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Feb 19 19:25:37 2018
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,1816291,1816297,
 1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,1816291,1816297,
 1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/framework/base/dtd/ofbiz-component.xsd
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/dtd/ofbiz-component.xsd?rev=1824805&r1=1824804&r2=1824805&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/base/dtd/ofbiz-component.xsd (original)
+++ ofbiz/branches/release16.11/framework/base/dtd/ofbiz-component.xsd Mon Feb 19 19:25:37 2018
@@ -240,6 +240,20 @@ under the License.
                 </xs:restriction>
             </xs:simpleType>
         </xs:attribute>
+        <xs:attribute name="keep-autologin-cookie" default="false">
+            <xs:simpleType>
+                <xs:annotation>
+                    <xs:documentation>
+                        Defines if the webapp uses the auto login feature which keeps a memory of the user last visit.
+                        This allows an user easier login by showing his/her username.
+                    </xs:documentation>
+                </xs:annotation>
+                <xs:restriction base="xs:token">
+                    <xs:enumeration value="true"/>
+                    <xs:enumeration value="false"/>
+                </xs:restriction>
+            </xs:simpleType>
+        </xs:attribute>
     </xs:attributeGroup>
     <xs:element name="virtual-host">
         <xs:complexType>

Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java?rev=1824805&r1=1824804&r2=1824805&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java (original)
+++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java Mon Feb 19 19:25:37 2018
@@ -324,6 +324,20 @@ public final class ComponentConfig {
         }
         return info;
     }
+    
+    public static WebappInfo getWebappInfo(String serverName, String webAppName) {
+        WebappInfo webappInfo = null;
+        List<WebappInfo> webappsInfo = getAppBarWebInfos(serverName);
+        for(WebappInfo currApp : webappsInfo) {
+            if (webAppName.equals(currApp.getName())) {
+                webappInfo = currApp;
+                break;
+            }
+        }
+        return webappInfo;
+    }    
+
+    
 
     public static boolean isFileResourceLoader(String componentName, String resourceLoaderName) throws ComponentException {
         ComponentConfig cc = getComponentConfig(componentName);
@@ -829,6 +843,7 @@ public final class ComponentConfig {
         // CatalinaContainer modifies this field.
         private volatile boolean appBarDisplay;
         private final String accessPermission;
+        private final boolean keepAutologinCookie;
 
         private WebappInfo(ComponentConfig componentConfig, Element element) {
             this.componentConfig = componentConfig;
@@ -868,6 +883,7 @@ public final class ComponentConfig {
             this.appBarDisplay = !"false".equals(element.getAttribute("app-bar-display"));
             this.privileged = !"false".equals(element.getAttribute("privileged"));
             this.accessPermission = element.getAttribute("access-permission");
+            this.keepAutologinCookie = !"false".equals(element.getAttribute("keep-autologin-cookie"));
             String basePermStr = element.getAttribute("base-permission");
             if (!basePermStr.isEmpty()) {
                 this.basePermission = basePermStr.split(",");
@@ -953,6 +969,10 @@ public final class ComponentConfig {
             return virtualHosts;
         }
 
+        public boolean getKeepAutologinCookie() {
+            return keepAutologinCookie;
+        }
+
         public synchronized void setAppBarDisplay(boolean appBarDisplay) {
             this.appBarDisplay = appBarDisplay;
         }

Modified: ofbiz/branches/release16.11/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1824805&r1=1824804&r2=1824805&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/branches/release16.11/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Mon Feb 19 19:25:37 2018
@@ -43,6 +43,7 @@ import javax.servlet.jsp.PageContext;
 import javax.transaction.Transaction;
 
 import org.apache.ofbiz.base.component.ComponentConfig;
+import org.apache.ofbiz.base.component.ComponentConfig.WebappInfo;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.GeneralException;
 import org.apache.ofbiz.base.util.KeyStoreUtil;
@@ -556,7 +557,9 @@ public class LoginWorker {
             } catch (GenericServiceException e) {
                 Debug.logError(e, "Error setting user preference", module);
             }
-
+            // start with a clean state, in case the user has quit the session w/o login out
+            autoLogoutCleanCookies(userLogin, request, response);
+            
             // finally do the main login routine to set everything else up in the session, etc
             return doMainLogin(request, response, userLogin, userLoginSession);
         } else {
@@ -666,7 +669,8 @@ public class LoginWorker {
         GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
 
         doBasicLogout(userLogin, request, response);
-
+        
+        autoLogoutCleanCookies(userLogin, request, response);
         if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
             return autoLoginCheck(request, response);
         }
@@ -817,6 +821,34 @@ public class LoginWorker {
         }
         return "success";
     }
+    
+    // Removes all the autoLoginCookies but if the webapp requires keeping it
+public static String autoLogoutCleanCookies(GenericValue userLogin, HttpServletRequest request, HttpServletResponse response) {
+        HttpSession session = request.getSession();
+
+        Cookie[] cookies = request.getCookies();
+        if (Debug.verboseOn()) {
+            Debug.logVerbose("Cookies: " + Arrays.toString(cookies), module);
+        }
+        if (cookies != null && userLogin != null) {
+            for (Cookie autoLoginCookie: cookies) {
+                String autoLoginName = autoLoginCookie.getName().replace(".autoUserLoginId", "");
+                WebappInfo webappInfo = ComponentConfig.getWebappInfo("default-server", autoLoginName);
+                if (webappInfo != null && !webappInfo.getKeepAutologinCookie()) {
+                    autoLoginCookie.setMaxAge(0);
+                    autoLoginCookie.setPath("/");
+                    response.addCookie(autoLoginCookie);
+                }
+            }
+        }
+
+        // remove the session attributes
+        session.removeAttribute("autoUserLogin");
+        session.removeAttribute("autoName");
+
+        request.setAttribute("_AUTO_LOGIN_LOGOUT_", Boolean.TRUE);
+        return "success";
+    }
 
     public static boolean isUserLoggedIn(HttpServletRequest request) {
         HttpSession session = request.getSession();