ofbiz-commits mailing list archives

Author: jleroux
Date: Fri Nov  2 10:38:33 2018
New Revision: 1845568

URL: http://svn.apache.org/viewvc?rev=1845568&view=rev
Log:
"Applied fix from trunk for revision: 1845558 " 
------------------------------------------------------------------------
r1845558 | jleroux | 2018-11-02 10:46:42 +0100 (ven. 02 nov. 2018) | 15 lignes

Fixed: Correct behaviour of Autologin cookies
(OFBIZ-10635)

Renames "keep-autologin-cookie" to "use-autologin-cookie", and only create 
Autologin cookies when needed. No need to create Autologin cookies in 
applications that don't need it.

Don't pass webAppName to LoginWorker::getSecuredUserLoginId, that can be handled
with improved LoginWorker::getSecuredLoginIdCookieName

Removes LoginWorker::autoLogoutCleanCookies, no longer needed since only those
needed are created and kept (1 year at least after creation).

For both autoLogin and securedLoginId cookies sets the path to the application.

------------------------------------------------------------------------

Modified:
    ofbiz/ofbiz-framework/branches/release17.12/   (props changed)
    ofbiz/ofbiz-framework/branches/release17.12/framework/base/dtd/ofbiz-component.xsd
    ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
    ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Nov  2 10:38:33 2018
@@ -10,4 +10,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/dtd/ofbiz-component.xsd
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/dtd/ofbiz-component.xsd?rev=1845568&r1=1845567&r2=1845568&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/base/dtd/ofbiz-component.xsd (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/base/dtd/ofbiz-component.xsd Fri
Nov  2 10:38:33 2018
@@ -251,7 +251,7 @@ under the License.
                 </xs:restriction>
             </xs:simpleType>
         </xs:attribute>
-        <xs:attribute name="keep-autologin-cookie" default="false">
+        <xs:attribute name="use-autologin-cookie" default="false">
             <xs:simpleType>
                 <xs:annotation>
                     <xs:documentation>

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java?rev=1845568&r1=1845567&r2=1845568&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
(original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/component/ComponentConfig.java
Fri Nov  2 10:38:33 2018
@@ -829,7 +829,7 @@ public final class ComponentConfig {
         // CatalinaContainer modifies this field.
         private volatile boolean appBarDisplay;
         private final String accessPermission;
-        private final boolean keepAutologinCookie;
+        private final boolean useAutologinCookie;
 
         private WebappInfo(ComponentConfig componentConfig, Element element) {
             this.componentConfig = componentConfig;
@@ -869,7 +869,7 @@ public final class ComponentConfig {
             this.appBarDisplay = !"false".equals(element.getAttribute("app-bar-display"));
             this.privileged = !"false".equals(element.getAttribute("privileged"));
             this.accessPermission = element.getAttribute("access-permission");
-            this.keepAutologinCookie = !"false".equals(element.getAttribute("keep-autologin-cookie"));
+            this.useAutologinCookie = !"false".equals(element.getAttribute("use-autologin-cookie"));
             String basePermStr = element.getAttribute("base-permission");
             if (!basePermStr.isEmpty()) {
                 this.basePermission = basePermStr.split(",");
@@ -959,8 +959,8 @@ public final class ComponentConfig {
             return virtualHosts;
         }
 
-        public boolean getKeepAutologinCookie() {
-            return keepAutologinCookie;
+        public boolean isAutologinCookieUsed() {
+            return useAutologinCookie;
         }
 
         public synchronized void setAppBarDisplay(boolean appBarDisplay) {

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1845568&r1=1845567&r2=1845568&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
(original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
Fri Nov  2 10:38:33 2018
@@ -520,9 +520,7 @@ public class LoginWorker {
             } catch (GenericServiceException e) {
                 Debug.logError(e, "Error setting user preference", module);
             }
-            // start with a clean state, in case the user has quit the session w/o login
out
-            autoLogoutCleanCookies(userLogin, request, response);
-            
+
             // finally do the main login routine to set everything else up in the session,
etc
             return doMainLogin(request, response, userLogin, userLoginSession);
         } else {
@@ -579,6 +577,7 @@ public class LoginWorker {
         RequestHandler rh = RequestHandler.getRequestHandler(request.getSession().getServletContext());
         rh.runAfterLoginEvents(request, response);
 
+
         // make sure the autoUserLogin is set to the same and that the client cookie has
the correct userLoginId
         return autoLoginSet(request, response);
     }
@@ -636,7 +635,6 @@ public class LoginWorker {
 
         doBasicLogout(userLogin, request, response);
         
-        autoLogoutCleanCookies(userLogin, request, response);
         if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
             return autoLoginCheck(request, response);
         }
@@ -704,16 +702,18 @@ public class LoginWorker {
         // DON'T save the cart, causes too many problems: if (shoppingCart != null) session.setAttribute("shoppingCart",
new WebShoppingCart(shoppingCart, session));
     }
 
+    // Set an autologin cookie for the webapp if it requests it
     public static String autoLoginSet(HttpServletRequest request, HttpServletResponse response)
{
         Delegator delegator = (Delegator) request.getAttribute("delegator");
         HttpSession session = request.getSession();
         GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
-        String domain = EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator);
-        if (userLogin != null) {
+        WebappInfo webappInfo = ComponentConfig.getWebappInfo("default-server", UtilHttp.getApplicationName(request));
+                
+        if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed())
{
             Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
             autoLoginCookie.setMaxAge(60 * 60 * 24 * 365);
-            autoLoginCookie.setDomain(domain);
-            autoLoginCookie.setPath("/");
+            autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain",
delegator));
+            autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request));
             autoLoginCookie.setSecure(true);
             autoLoginCookie.setHttpOnly(true);
             response.addCookie(autoLoginCookie);
@@ -727,14 +727,6 @@ public class LoginWorker {
         return UtilHttp.getApplicationName(request) + ".autoUserLoginId";
     }
 
-    protected static String getAutoLoginCookieName(String webappName) {
-        return webappName + ".autoUserLoginId";
-    }
-    
-    /**
-    * @deprecated Moved to {@link org.apache.ofbiz.webapp.control.LoginWorker#getAutoUserLoginId(HttpServletRequest
request, String webappName) String}
-    */
-   @Deprecated
     public static String getAutoUserLoginId(HttpServletRequest request) {
         String autoUserLoginId = null;
         Cookie[] cookies = request.getCookies();
@@ -752,30 +744,12 @@ public class LoginWorker {
         return autoUserLoginId;
     }
     
-    public static String getAutoUserLoginId(HttpServletRequest request, String webappName)
{
-        String autoUserLoginId = null;
-        Cookie[] cookies = request.getCookies();
-        if (Debug.verboseOn()) {
-            Debug.logVerbose("Cookies: " + Arrays.toString(cookies), module);
-        }
-        if (cookies != null) {
-            for (Cookie cookie: cookies) {
-                String cookieName = (webappName != null) ? getAutoLoginCookieName(webappName)
: getAutoLoginCookieName(request);
-                if (cookie.getName().equals(cookieName)) {
-                    autoUserLoginId = cookie.getValue();
-                    break;
-                }
-            }
-        }
-        return autoUserLoginId;
-    }
-
 
     public static String autoLoginCheck(HttpServletRequest request, HttpServletResponse response)
{
         Delegator delegator = (Delegator) request.getAttribute("delegator");
         HttpSession session = request.getSession();
 
-        return autoLoginCheck(delegator, session, getAutoUserLoginId(request, null));
+        return autoLoginCheck(delegator, session, getAutoUserLoginId(request));
     }
 
     private static String autoLoginCheck(Delegator delegator, HttpSession session, String
autoUserLoginId) {
@@ -830,34 +804,6 @@ public class LoginWorker {
         return "success";
     }
     
-    // Removes all the autoLoginCookies but if the webapp requires keeping it
-    public static String autoLogoutCleanCookies(GenericValue userLogin, HttpServletRequest
request, HttpServletResponse response) {
-        HttpSession session = request.getSession();
-
-        Cookie[] cookies = request.getCookies();
-        if (Debug.verboseOn()) {
-            Debug.logVerbose("Cookies: " + Arrays.toString(cookies), module);
-        }
-        if (cookies != null && userLogin != null) {
-            for (Cookie autoLoginCookie: cookies) {
-                String autoLoginName = autoLoginCookie.getName().replace(".autoUserLoginId",
"");
-                WebappInfo webappInfo = ComponentConfig.getWebappInfo("default-server", autoLoginName);
-                if (webappInfo != null && !webappInfo.getKeepAutologinCookie()) {
-                    autoLoginCookie.setMaxAge(0);
-                    autoLoginCookie.setPath("/");
-                    response.addCookie(autoLoginCookie);
-                }
-            }
-        }
-
-        // remove the session attributes
-        session.removeAttribute("autoUserLogin");
-        session.removeAttribute("autoName");
-
-        request.setAttribute("_AUTO_LOGIN_LOGOUT_", Boolean.TRUE);
-        return "success";
-    }
-
     public static boolean isUserLoggedIn(HttpServletRequest request) {
         HttpSession session = request.getSession();
         GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");