Re: [Hypercontent-users] Further discussion on HC logout
Brought to you by:
alexvigdor
Menu
▾
▴
Re: [Hypercontent-users] Further discussion on HC logout
|
From: Alex V. <al...@bi...> - 2007-03-13 14:59:34
|
Hi Tom,
Your changes look fine. For the code in CVS, I might consider a
slightly less invasive approach where you would have to specify that
you want to force login, e.g. with a request parameter "force-
login=true"
if("true".equalsIgnoreCase(request.getParameter("force-login")))
{
session.logout();
session.cleanSubject();
}
if(!session.isAuthenticated()){
...
Cheers,
Alex
On Mar 8, 2007, at 11:57 PM, tom tom wrote:
> Hi Alex,
>
> I did some code change, looks it's working but I dont
> know the side effects, Please look at the changes, If
> the following got side effects pls do let me know a
> safe approach (I couldnt find any place to call
> HttpSession.invalidate() any how see the following)
>
> 1) I introduced the following in the
> org.hypercontent.server.Session
>
> public void cleanSubject() {
> subject = new Subject();
> subject.getPrincipals().add(Anybody.instance);
> }
>
>
> 2) now the execute method in Login.java looks as
> follows, please observ that am calling
> session.logout(); and session.cleanSubject(); and also
> executing the authentication unconditionaly.
>
>
>
> Please let me know about this change
>
> Thanks
>
>
> public void execute(IRequest request) throws
> Exception {
> //String user = request.getParameter("user");
> //String pass = request.getParameter("pass");
> Session session = request.getSession();
>
>
> if
> ("login".equalsIgnoreCase(request.getParameter("mode")))
> {
> session.logout();
> session.cleanSubject();
> }
>
> if (true){
> CallbackHandler handler = new
> RequestCallbackHandler(request);
> Subject subject = session.getSubject();
> LoginContext lc = new
> LoginContext("HyperContent", subject,handler);
> try{
> lc.login();
> }
> catch(FailedLoginException e){
> failLogin(session);
> return;
> }
>
> IUser user = null;
> String username = null;
> Set set = subject.getPrincipals();
> for(Iterator iterator=set.iterator();
> iterator.hasNext();){
> Object o = iterator.next();
> //System.out.println("Checking out
> principal "+o);
> Principal p = (Principal)o;
>
> if(!p.equals(Anybody.instance)){
> username = p.getName();
> System.out.println("User name in
> if block is "+username);
> //let's translate generic
> principals into HyperContent Users and SuperUsers
> Set princs =
> subject.getPrincipals();
> princs.remove(p);
> user = getUserImpl(username);
> princs.add(user);
> session.setAuthenticated(true);
> break;
> }
> }
> if(!session.isAuthenticated()){
> failLogin(session);
> }
> Logger.info(Strings.concat("User
> ",username," logged in"));
> }
> else{
> failLogin(session);
> }
> ....
> ....
> ...
>
>
>
>
>
>
>
> --- Alex Vigdor <al...@bi...> wrote:
>
>> Hi,
>> I think the problem may be traced to
>> org.hypercontent.server.commands.Login: on line 82
>> this class checks
>> whether the current session is already authenticated
>> before running
>> authentication providers. You might try disabling
>> this check to see
>> if you get the desired behavior. A more
>> sophisticated fix would, as
>> you suggest, run the authentication providers and
>> compare the results
>> with the existing authenticated user.
>>
>> Cheers,
>> Alex
>>
>> On Mar 7, 2007, at 10:56 PM, tom tom wrote:
>>
>>> Hi Alex,
>>>
>>> Sometime back I asked you a question regarding HC
>>> logout and you cleared the doubts I had, I have
>>> attached the disucussion we had bottom of the
>> mail,
>>>
>>> (http://sourceforge.net/mailarchive/forum.php?
>>> thread_id=30987603&forum_id=38700)
>>>
>>>
>>> Well I thought I got more suggestions into this,
>>> Similar to the HC Link in the uPortal, we got
>> links
>>> for WebCT and Mail and Library etc all SSO enabled
>> and
>>> also all the links pops up in a new window with
>> the
>>> application. None of these got the issue we had
>> with
>>> HC which describes in the bottom of this mail,
>> that
>>> is eventhough we dont close all the browser
>> instances,
>>> if we logout uPortal login back again as a
>> different
>>> user and click WebCT or Mail link it will not pick
>> the
>>> previous user but the new user.
>>>
>>> I understand that Logging out of uPortal and CAS
>> does
>>> NOT terminate the browser's session with
>> HyperContent,
>>>
>>> but let me know whether following makes any sense
>>>
>>> uPortal channel got a link to HC as follows
>>>
>>> http://<HC server>/hypercontent?mode=login
>>>
>>> this guarantees(because mode=login) that HC will
>> again
>>> contact CAS by calling serviceValidate, the
>>> serviceValidate will give the CAS XML with uid and
>>> other attributes.
>>>
>>> Isnt it possible to cross check the this uid with
>> the
>>> session userId and if different call the session
>>> invalidate() method or throw out a error,
>>>
>>>
>>> Please let me know if am in the wrong track, What
>> my
>>> objective is to get HC logout behaviour similar to
>> the
>>> WebCT and mail so that everything look consistent.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------------FROM A PREVIOUS
>>> MAIL--------------------------
>>>
>>> I observed the following behaviour (defect ?) in
>> HC
>>> while doing the following.
>>>
>>>
>>> HC is casified and working fine with CAS and
>> uPortal.
>>> Users login to uPortal via CAS and one of uPortal
>>> channel got a link to HC. Look at the following
>> use
>>> case.
>>>
>>> 1) user 'AUTHOR_HC' login to uPortal via
>>> CAS.(authentication is successful)
>>>
>>> 2)clicks HC link to edit content
>>>
>>> 3)HC opens in a new window with 'You are logged
>> in as
>>> AUTHOR_HC'
>>>
>>> 4) user edits contents and saves
>>>
>>> 5) closes the HC browser window (wihout pressing
>>> logout link in HC).
>>>
>>> 6) user presses uPortal logout which in turn call
>> the
>>> cas/logout
>>>
>>> 7) Different user login to uPortal via CAS as
>> user
>>> 'APPOVER_HC'
>>>
>>> 8) click the HC link in uPortal, HC opens in a
>> new
>>> browser Window ..............
>>>
>>> But still it shows the previous users welcome
>> message
>>> which is 'You are logged in as AUTHOR_HC'
>>>
>>> Why doesnt the HC cleans out everything. Is this a
>>> limitation?
>>> Different users can use the same workstation in
>> our
>>> case.
>>>
>>> Alex's answer
>>> -------------
>>>
>>>
>>> This is the expected behavior. Logging out of
>> uPortal
>>> and CAS does
>>> NOT terminate the browser's session with
>> HyperContent.
>>> The user must
>>> close all browser windows for the session cookies
>> to
>>> be cleared.
>>> This should be clearly conveyed to the user.
>> Single
>>> Sign Out, the
>>> ability for the user to log out of CAS and all
>>> applications that use
>>> CAS for login, is a planned feature for a future
>> CAS
>>> release.
>>>
>>>
>>>
>>>
>>>
>>
> ______________________________________________________________________
>>
>>> ______________
>>> It's here! Your new message!
>>> Get new email alerts with the free Yahoo! Toolbar.
>>>
>> http://tools.search.yahoo.com/toolbar/features/mail/
>>>
>>
>>
>>
> ----------------------------------------------------------------------
> ---
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get
>> the chance to share your
>> opinions on IT & business topics through brief
>> surveys-and earn cash
>>
> http://www.techsay.com/default.php?
> page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Hypercontent-users mailing list
>> Hyp...@li...
>>
> https://lists.sourceforge.net/lists/listinfo/hypercontent-users
>>
>
>
>
>
> ______________________________________________________________________
> ______________
> Now that's room service! Choose from over 150,000 hotels
> in 45,000 destinations on Yahoo! Travel to find your fit.
> http://farechase.yahoo.com/promo-generic-14795097
>
|
