[OpenbravoERP-commits] devel/pi: Fixes issue 36364: Http Sessions are registered in Ses...

Thu, 29 Jun 2017 02:28:52 -0700 

details:   https://code.openbravo.com/erp/devel/pi/rev/7ef6d8ce4b58
changeset: 32379:7ef6d8ce4b58
user:      Martin Taal <martin.taal <at> openbravo.com>
date:      Thu Jun 29 11:28:15 2017 +0200
summary:   Fixes issue 36364: Http Sessions are registered in SessionListener 
with wrong session id, stateless requests should not be registered
Prevent stateless request from being registered in SessionListener.
Force the correct id in the Session record

diffstat:

 src/org/openbravo/erpCommon/security/SessionLogin.java |  12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diffs (50 lines):

diff -r 1a7aad006212 -r 7ef6d8ce4b58 
src/org/openbravo/erpCommon/security/SessionLogin.java
--- a/src/org/openbravo/erpCommon/security/SessionLogin.java    Wed Jun 28 
14:57:06 2017 +0200
+++ b/src/org/openbravo/erpCommon/security/SessionLogin.java    Thu Jun 29 
11:28:15 2017 +0200
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
+import org.openbravo.authentication.AuthenticationManager;
 import org.openbravo.base.provider.OBProvider;
 import org.openbravo.dal.core.OBContext;
 import org.openbravo.dal.service.OBDal;
@@ -52,6 +53,7 @@
   protected String serverUrl;
   private String username;
   private String status;
+  private boolean stateless;
 
   public SessionLogin(String ad_client_id, String ad_org_id, String ad_user_id)
       throws ServletException {
@@ -81,6 +83,7 @@
     if (request != null) {
       defaultParameters(request);
     }
+    stateless = AuthenticationManager.isStatelessRequest(request);
   }
 
   public void setServerUrl(String strAddr) {
@@ -115,7 +118,9 @@
   public int save() throws ServletException {
     if (getSessionID().equals("")) {
       String key = SequenceIdData.getUUID();
-      SessionListener.addSession(key);
+      if (!stateless) {
+        SessionListener.addSession(key);
+      }
       if (key == null || key.equals(""))
         throw new ServletException("SessionLogin.save() - key creation 
failed");
       setSessionID(key);
@@ -142,6 +147,11 @@
       session.setSessionActive(sessionActive);
       session.setLoginStatus(status);
       session.setUsername(username);
+
+      // ensure that the object in the db has the same value as the session id
+      session.setId(getSessionID());
+      session.setNewOBObject(true);
+
       OBDal.getInstance().save(session);
       SessionInfo.auditThisThread(false);
       OBDal.getInstance().commitAndClose();

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

Reply via email to