You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@gmail.com> on 2008/09/23 19:59:40 UTC
"Create new servlet session upon login" Feature
Does anyone know how to configure this feature?
https://issues.apache.org/jira/browse/JS2-712
Basically, it makes it so that if a client browser re-posts to the
login URI with some different credentials, the old session is turfed
and a new one created...
thanks in advance,
aaron
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: "Create new servlet session upon login" Feature
Posted by David Sean Taylor <dt...@onehippo.com>.
On Sep 29, 2008, at 4:52 PM, Aaron Evans wrote:
> Hi David,
>
> I tried this out and it seems to do what I want, so thanks very much.
> Sorry to take so long to actually use a feature that I requested!
>
> One question though:
>
> In the LoginProxyServlet, you redirect to:
>
> "/login/redirector?token=" + token.getToken() where the token value is
> the username-timestamp.
>
> Is this token request parameter used later on in the chain? It doesn't
> seem to affect the behavior of the authentication mechanism or the
> security valve.
>
> The reason I ask is if it is informational only, I'd suggest removing
> it. In my case, it stays visible for a second or two while our
> dashboard loads and it just seems weird to see the username in the
> URL.
>
> Anyhow, obviously not a big deal provided it isn't a security issue
> (and I'm pretty sure it is not since I tried doing some basic URL
> manipulation).
>
> Anyhow, thanks again. I'll also post this comments on the JIRA issue
> in case you miss this thread...
>
Message received on JIRA, also responding here:
It is used but the token does not have to be the user name. I agree,
it would be better to create a generated token with no meaning.
Regardless the tokens will only live for 30 seconds.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: "Create new servlet session upon login" Feature
Posted by Aaron Evans <aa...@gmail.com>.
Hi David,
I tried this out and it seems to do what I want, so thanks very much.
Sorry to take so long to actually use a feature that I requested!
One question though:
In the LoginProxyServlet, you redirect to:
"/login/redirector?token=" + token.getToken() where the token value is
the username-timestamp.
Is this token request parameter used later on in the chain? It doesn't
seem to affect the behavior of the authentication mechanism or the
security valve.
The reason I ask is if it is informational only, I'd suggest removing
it. In my case, it stays visible for a second or two while our
dashboard loads and it just seems weird to see the username in the
URL.
Anyhow, obviously not a big deal provided it isn't a security issue
(and I'm pretty sure it is not since I tried doing some basic URL
manipulation).
Anyhow, thanks again. I'll also post this comments on the JIRA issue
in case you miss this thread...
-aaron
On Tue, Sep 23, 2008 at 6:01 PM, David Sean Taylor
<da...@bluesunrise.com> wrote:
> On Sep 23, 2008, at 10:59 AM, Aaron Evans wrote:
>
>> Does anyone know how to configure this feature?
>>
>> https://issues.apache.org/jira/browse/JS2-712
>>
>> Basically, it makes it so that if a client browser re-posts to the
>> login URI with some different credentials, the old session is turfed
>> and a new one created...
>>
>> thanks in advance,
>> aaron
>>
>
> JS2-712 has been available since 2.1.2.
> Its configured in administration.xml, see constructor argument 0, defaulted
> to false. You will need to set it to true
>
> <bean
> id='org.apache.jetspeed.administration.PortalAuthenticationConfiguration'
>
> class='org.apache.jetspeed.administration.PortalAuthenticationConfigurationImpl'>
>
> <!-- create new session upon authentication -->
> <constructor-arg index='0'>
> <value>false</value>
> </constructor-arg>
> <!-- hard session timeout limit in seconds, regardless of (in)activity,
> setting to 0 turns off this feature
> note:this feature should be used with 'create new session
> upon authentication' feature
> -->
> <constructor-arg index='1'>
> <value>0</value>
> </constructor-arg>
> <!-- redirect location for hard session expiration -->
> <constructor-arg index='2'>
> <value>/login/logout</value>
> </constructor-arg>
> </bean>
>
> Give it a try and let me know if that is what you need. I didn't seem to
> close the issue upon completing it
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: "Create new servlet session upon login" Feature
Posted by David Sean Taylor <da...@bluesunrise.com>.
On Sep 23, 2008, at 10:59 AM, Aaron Evans wrote:
> Does anyone know how to configure this feature?
>
> https://issues.apache.org/jira/browse/JS2-712
>
> Basically, it makes it so that if a client browser re-posts to the
> login URI with some different credentials, the old session is turfed
> and a new one created...
>
> thanks in advance,
> aaron
>
JS2-712 has been available since 2.1.2.
Its configured in administration.xml, see constructor argument 0,
defaulted to false. You will need to set it to true
<bean
id
='org.apache.jetspeed.administration.PortalAuthenticationConfiguration'
class
=
'org
.apache.jetspeed.administration.PortalAuthenticationConfigurationImpl'>
<!-- create new session upon authentication -->
<constructor-arg index='0'>
<value>false</value>
</constructor-arg>
<!-- hard session timeout limit in seconds, regardless of
(in)activity, setting to 0 turns off this feature
note:this feature should be used with 'create new session upon
authentication' feature
-->
<constructor-arg index='1'>
<value>0</value>
</constructor-arg>
<!-- redirect location for hard session expiration -->
<constructor-arg index='2'>
<value>/login/logout</value>
</constructor-arg>
</bean>
Give it a try and let me know if that is what you need. I didn't seem
to close the issue upon completing it
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org