cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Per Kreipke" <...@onclave.com>
Subject RE: SunRise: AuthAction.java bug?
Date Thu, 08 Aug 2002 16:42:01 GMT
> I looked at the code and it seems that if the handler parameter is
> misconfigured an exception should be thrown:
>
> The AuthAction calls:
>
>             if (sunRise.checkAuthentication(redirector, !initialized) ==
> false) {
>
> And in the checkAuthentication() method, the following code should
> throw an exception then:
> >>>
>         if (this.handlerName == null) this.handlerName = "";
>         if (this.applicationName == null) this.applicationName = "";
>         if (this.handlerName.equals(newHandlerName) == false
>             || this.applicationName.equals(newAppName) == false) {
>             this.handlerName = newHandlerName;
>             this.applicationName = newAppName;
>             this.handler = null;
>             this.application = null;
>
>             if (this.handlerName != null) {
>                 if ( null != this.userHandlers) {
>                     this.handler =
> (Handler)this.userHandlers.get(this.handlerName);
>                 } else {
>                     this.handler =
> (Handler)this.configuredHandlers.get(this.handlerName);
>                 }
>
>                 if (this.handler == null) {
>                     throw new ProcessingException("Handler not found: " +
> this.handlerName);
>                 }
>
> <<<<<
>
> Or is here a bug?

Yes, I think there is, ergo the subject. But I wasn't explicit in my
description, sorry.

I admit that I can't tell by looking at the code above, I find it too
complex since I don't understand exactly how SunRise works. E.g. I have no
idea how many SunRise objects are instantiated at runtime: one per request,
per pipeline, per user, per session? And consequently I don't understand why
there is a this.handler in the SunRise object since you can declare multiple
<handler>'s within the <map:action> for SunRise. Why, for example, don't you
put the handler in the request attributes the way you did the handler name?

That said, isn't there a missing else in the block of code below the one
above?

if (this.handler != null) {
 ...
}
// no else here, which means that checkAuthentication() is valid with a
misconfiged handler?

Wish I could help more.

Per

> > In 2.0.3, the default value returned from AuthAction:act() calling
> > SunRise.java:checkAuthentication() is true even if there is no handler
> > parameter defined.
> >
> > That seems wrong to me: if misconfigured with no 'handler'
> > parameter, there
> > should either be an error message or complete failure. The user
> certainly
> > shouldn't be authorized.
> >
> > Per
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> > For additional commands, email: cocoon-dev-help@xml.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message