portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Evans (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-712) Create new servlet session upon login (configurable)
Date Mon, 29 Sep 2008 14:53:45 GMT

    [ https://issues.apache.org/jira/browse/JS2-712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635398#action_12635398

Aaron Evans commented on JS2-712:

I tried this out and it seems to do what I want, so thanks very much.  Sorry to take so long
to actually use a feature that I requested!

One question though:

In the LoginProxyServlet, you redirect to:

"/login/redirector?token=" + token.getToken() where the token value is the username-timestamp.

Is this token request parameter used later on in the chain? It doesn't seem to affect the
behavior of the authentication mechanism or the security valve.

The reason I ask is if it is informational only, I'd suggest removing it.  In my case, it
stays visible for a second or two while our dashboard loads and it just seems weird to see
the username in the URL. 

Anyhow, obviously not a big deal provided it isn't a security issue (and I'm pretty sure it
is not since I tried doing some basic URL manipulation).

Anyhow, thanks again.


> Create new servlet session upon login (configurable)
> ----------------------------------------------------
>                 Key: JS2-712
>                 URL: https://issues.apache.org/jira/browse/JS2-712
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.1.2
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.1.2
> Create new servlet session upon login. In 2.1, the guest session is continued when the
user authenticates, which is a valid use-case such as an e-commerce portal which allows users
to delay their login but still create a shopping cart before logging in, and then carrying
over the session state to the logged user. This enhancement will make the "creation of new
session event" configurable in the Spring configuration. The default behavior will still be
to not create a new session.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message