[
https://issues.apache.org/jira/browse/OFBIZ-12047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284186#comment-17284186
]
ASF subversion and git services commented on OFBIZ-12047:
---------------------------------------------------------
Commit 1ed018c677836b4eebb1ba82da8a12ee983474a4 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1ed018c ]
Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
(OFBIZ-12047)
After some small study, it seem there is a problem because login request not
require authentication
I have tried to add a test to check if current request is login and only if it's
not to remove PREVIOUS_REQUEST Session Attribute, it seem better with this
modification.
Thanks: Olivier for the patch and Michael for suggesting to parameterize using
a property. I simply used EntityUtilProperties.getPropertyValue instead of
UtilProperties.getPropertyValue
Conflicts: handled by hand
framework/security/config/security.properties
> Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
> -----------------------------------------------------------------------
>
> Key: OFBIZ-12047
> URL: https://issues.apache.org/jira/browse/OFBIZ-12047
> Project: OFBiz
> Issue Type: Bug
> Components: framework/webapp
> Affects Versions: Release Branch 18.12, Trunk
> Reporter: Ingo Könemann
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 18.12.01, Upcoming Branch
>
> Attachments: RequestHandler.java.patch, RequestHandler.java.patch,
> RequestHandler.java.patch
>
>
> There is a session attribute called "_PREVIOUS_REQUEST_" used to remember and
> execute the previous request after a login occurs. This attribute is not
> removed properly when navigating away from a page without logging in.
> When navigating to a page that requires authentication the
> "_PREVIOUS_REQUEST_" attribute is saved in the session from within the
> LoginWorker to be called again when the login was successful through the
> RequestHandler. Currently, the attribute is only removed when a login occurs
> resulting in the previous request being stored in the session until some form
> of login is successfully executed.
> This behavior potentially results in navigation problems since a user is able
> to navigate to a page requiring authentication without logging in. An old
> request will be pulled from the session when a similar event occurs and the
> user logs in.
>
> I propose to have the RequestHandler remove the session attribute
> "_PREVIOUS_REQUEST_" after calling a request that does not require
> authentication. We also have to restructure the sequence of request handling
> to have the "targetRequestUri" handled after the security check and a
> possible removal of the session attribute.
>
> One problem arises with this solution, however, which should be less of an
> issue than the current state:
> If the login page includes a request call that is handled after the request
> showing the login page (for example an ajax call rendering a screen), the
> "_PREVIOUS_REQUEST_" attribute will be lost before the login is processed. To
> my knowledge such a case does not exist within the OFBiz environment and
> seems to be an edge case far less problematic than the above mentioned
> problem.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
