You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by Per Kreipke <pe...@onclave.com> on 2002/08/08 00:55:31 UTC
SunRise: AuthAction.java bug?
In 2.0.3, the default value returned from AuthAction:act() calling
SunRise.java:checkAuthentication() is true even if there is no handler
parameter defined.
That seems wrong to me: if misconfigured with no 'handler' parameter, there
should either be an error message or complete failure. The user certainly
shouldn't be authorized.
Per
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
RE: SunRise: AuthAction.java bug?
Posted by Carsten Ziegeler <cz...@s-und-n.de>.
Ok, you're right - I fixed this.
Thanks for reporting!
Regards
Carsten
> -----Original Message-----
> From: Per Kreipke [mailto:per@onclave.com]
> Sent: Thursday, August 08, 2002 7:11 PM
> To: cocoon-dev@xml.apache.org
> Subject: RE: SunRise: AuthAction.java bug?
>
>
> Carsten,
>
> More on the code:
>
>
> > > if (this.handlerName == null) this.handlerName = "";
> > > if (this.applicationName == null) this.applicationName = "";
> > > if (this.handlerName.equals(newHandlerName) == false
> > > || this.applicationName.equals(newAppName) == false) {
> > > this.handlerName = newHandlerName;
> > > this.applicationName = newAppName;
> > > this.handler = null;
> > > this.application = null;
> > >
> > > if (this.handlerName != null) {
> > > if ( null != this.userHandlers) {
> > > this.handler =
> > > (Handler)this.userHandlers.get(this.handlerName);
> > > } else {
> > > this.handler =
> > > (Handler)this.configuredHandlers.get(this.handlerName);
> > > }
> > >
> > > if (this.handler == null) {
> > > throw new ProcessingException("Handler not
> > found: " +
> > > this.handlerName);
> > > }
>
> What if this.handlerName is null? Then the entire block with the exception
> is skipped. E.g. if I don't define a handler (which was my original
> mistake), then newHandlerName is null and it's asigned to this.handlerName
> which is then also null.
>
> Per
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
RE: SunRise: AuthAction.java bug?
Posted by Per Kreipke <pe...@onclave.com>.
Carsten,
More on the code:
> > if (this.handlerName == null) this.handlerName = "";
> > if (this.applicationName == null) this.applicationName = "";
> > if (this.handlerName.equals(newHandlerName) == false
> > || this.applicationName.equals(newAppName) == false) {
> > this.handlerName = newHandlerName;
> > this.applicationName = newAppName;
> > this.handler = null;
> > this.application = null;
> >
> > if (this.handlerName != null) {
> > if ( null != this.userHandlers) {
> > this.handler =
> > (Handler)this.userHandlers.get(this.handlerName);
> > } else {
> > this.handler =
> > (Handler)this.configuredHandlers.get(this.handlerName);
> > }
> >
> > if (this.handler == null) {
> > throw new ProcessingException("Handler not
> found: " +
> > this.handlerName);
> > }
What if this.handlerName is null? Then the entire block with the exception
is skipped. E.g. if I don't define a handler (which was my original
mistake), then newHandlerName is null and it's asigned to this.handlerName
which is then also null.
Per
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
RE: SunRise: AuthAction.java bug?
Posted by Per Kreipke <pe...@onclave.com>.
> I looked at the code and it seems that if the handler parameter is
> misconfigured an exception should be thrown:
>
> The AuthAction calls:
>
> if (sunRise.checkAuthentication(redirector, !initialized) ==
> false) {
>
> And in the checkAuthentication() method, the following code should
> throw an exception then:
> >>>
> if (this.handlerName == null) this.handlerName = "";
> if (this.applicationName == null) this.applicationName = "";
> if (this.handlerName.equals(newHandlerName) == false
> || this.applicationName.equals(newAppName) == false) {
> this.handlerName = newHandlerName;
> this.applicationName = newAppName;
> this.handler = null;
> this.application = null;
>
> if (this.handlerName != null) {
> if ( null != this.userHandlers) {
> this.handler =
> (Handler)this.userHandlers.get(this.handlerName);
> } else {
> this.handler =
> (Handler)this.configuredHandlers.get(this.handlerName);
> }
>
> if (this.handler == null) {
> throw new ProcessingException("Handler not found: " +
> this.handlerName);
> }
>
> <<<<<
>
> Or is here a bug?
Yes, I think there is, ergo the subject. But I wasn't explicit in my
description, sorry.
I admit that I can't tell by looking at the code above, I find it too
complex since I don't understand exactly how SunRise works. E.g. I have no
idea how many SunRise objects are instantiated at runtime: one per request,
per pipeline, per user, per session? And consequently I don't understand why
there is a this.handler in the SunRise object since you can declare multiple
<handler>'s within the <map:action> for SunRise. Why, for example, don't you
put the handler in the request attributes the way you did the handler name?
That said, isn't there a missing else in the block of code below the one
above?
if (this.handler != null) {
...
}
// no else here, which means that checkAuthentication() is valid with a
misconfiged handler?
Wish I could help more.
Per
> > In 2.0.3, the default value returned from AuthAction:act() calling
> > SunRise.java:checkAuthentication() is true even if there is no handler
> > parameter defined.
> >
> > That seems wrong to me: if misconfigured with no 'handler'
> > parameter, there
> > should either be an error message or complete failure. The user
> certainly
> > shouldn't be authorized.
> >
> > Per
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> > For additional commands, email: cocoon-dev-help@xml.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org
RE: SunRise: AuthAction.java bug?
Posted by Carsten Ziegeler <cz...@s-und-n.de>.
I looked at the code and it seems that if the handler parameter is
misconfigured an exception should be thrown:
The AuthAction calls:
if (sunRise.checkAuthentication(redirector, !initialized) ==
false) {
And in the checkAuthentication() method, the following code should
throw an exception then:
>>>
if (this.handlerName == null) this.handlerName = "";
if (this.applicationName == null) this.applicationName = "";
if (this.handlerName.equals(newHandlerName) == false
|| this.applicationName.equals(newAppName) == false) {
this.handlerName = newHandlerName;
this.applicationName = newAppName;
this.handler = null;
this.application = null;
if (this.handlerName != null) {
if ( null != this.userHandlers) {
this.handler =
(Handler)this.userHandlers.get(this.handlerName);
} else {
this.handler =
(Handler)this.configuredHandlers.get(this.handlerName);
}
if (this.handler == null) {
throw new ProcessingException("Handler not found: " +
this.handlerName);
}
<<<<<
Or is here a bug?
Carsten
> -----Original Message-----
> From: Per Kreipke [mailto:per@onclave.com]
> Sent: Thursday, August 08, 2002 12:56 AM
> To: cocoon-dev@xml.apache.org
> Subject: SunRise: AuthAction.java bug?
>
>
> In 2.0.3, the default value returned from AuthAction:act() calling
> SunRise.java:checkAuthentication() is true even if there is no handler
> parameter defined.
>
> That seems wrong to me: if misconfigured with no 'handler'
> parameter, there
> should either be an error message or complete failure. The user certainly
> shouldn't be authorized.
>
> Per
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org