cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject continuations and session
Date Thu, 02 Sep 2004 18:42:12 GMT
Is it possible (due to security reasons) to tie every continuation to a 
particular user session? This way noone could "hack" into the 
application by using an url from history. I have problems with my 
application because it allows to run a continuation even if user has 
logged out. If continuations were bound to a particular session 
destroying the session would invalidate ALL of them - which is much 
better solution than invalidating each by hand in flowscript.

I found this problem and I really have no idea how I could fix this. 
Right now it looks like this:

> <map:resource name="resume-continuation">
> 	<map:act type="set-header">
> 		<map:parameter name="Expires" value="-1"/>
> 		<map:parameter name="Cache-Control" value="no-cache"/>
> 		<map:parameter name="Pragma" value="no-cache"/>
> 		<map:call continuation="{../continuation-id}"/>
> 	</map:act>
> </map:resource>
> [...]
> <map:match pattern="*.do">
> 	<map:match type="request-parameter" pattern="continuation-id">
> 		<map:call resource="resume-continuation">
> 			<map:parameter name="continuation-id" value="{1}"/>
> 		</map:call>
> 	</map:match>
> 	<map:call function="main">
> 		<map:parameter name="action" value="{1}"/>
> 		<map:parameter name="home" value="{global:baseURL}"/>
> 	</map:call>
> </map:match>

and the flowscript follows:
> function main( action, home ) {
> 	cocoon.response.setHeader( "Expires", "-1" );
> 	cocoon.response.setHeader( "Cache-Control", "no-cache" );
> 	cocoon.response.setHeader( "Pragma", "no-cache" );
> 	baseURL = home;
> 	cocoon.session.setAttribute( "baseURL", baseURL );
> 	
> 	if ( springContext == null ) 
> 		setupSpringContext();
> 		
> 	if ( cocoon.session.user == null ) {
> 		loginInternal();
> 	}
> 	invoke( action );
> }
> 
> function invoke( action ) {
>     func = this[ action ];
>     if ( func != undefined )    
> 	    func.apply( this );
> 	else 
> 	    cocoon.sendPage( action, {} );
> }
>  
> function loginInternal() {
> 	var cookieUsername = findCookie( "username" );
> 	var cookiePassword = findCookie( "password" );
> 
> 	if ( cookieUsername != null && cookiePassword != null && cookieUsername
!= "" ) {
> 		var user = validateLoginData( cookieUsername, cookiePassword );
> 		if ( user != null ) { 
> 			cocoon.session.setAttribute( "user", user );
> 			// reset expiry time
> 			storeLoginCookies( cookieUsername, cookiePassword );
> 			return;
> 			
> 		}
> 	}
> 	
> 	var form = new Form( "forms/login-def.xml" );
> 	var model = form.getModel();
> 	
> 	model.username = cookieUsername;
> 	model.password = cookiePassword;
> 	form.showForm( "form/login", {} );
> }

The problem is : I cannot wrap <map:call continuation/> with some 
session validator action because I do not know if this continuation does 
not belong to login procedure (this way I would block access to entering 
data into login form - total security ! :)).

I would like to keep the application logic intact so every 
/baseURL/callSomeFunction.do would show a login form first and then 
continue to appropriate page (if user has not been authenticated before).

Please comment.
-- 
Leszek Gawron                                      lgawron@mobilebox.pl


Mime
View raw message