You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@gmail.com> on 2008/09/23 19:59:40 UTC

"Create new servlet session upon login" Feature

Does anyone know how to configure this feature?

https://issues.apache.org/jira/browse/JS2-712

Basically, it makes it so that if a client browser re-posts to the
login URI with some different credentials, the old session is turfed
and a new one created...

thanks in advance,
aaron

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: "Create new servlet session upon login" Feature

Posted by David Sean Taylor <dt...@onehippo.com>.

On Sep 29, 2008, at 4:52 PM, Aaron Evans wrote:

> Hi David,
>
> I tried this out and it seems to do what I want, so thanks very much.
> Sorry to take so long to actually use a feature that I requested!
>
> One question though:
>
> In the LoginProxyServlet, you redirect to:
>
> "/login/redirector?token=" + token.getToken() where the token value is
> the username-timestamp.
>
> Is this token request parameter used later on in the chain? It doesn't
> seem to affect the behavior of the authentication mechanism or the
> security valve.
>
> The reason I ask is if it is informational only, I'd suggest removing
> it.  In my case, it stays visible for a second or two while our
> dashboard loads and it just seems weird to see the username in the
> URL.
>
> Anyhow, obviously not a big deal provided it isn't a security issue
> (and I'm pretty sure it is not since I tried doing some basic URL
> manipulation).
>
> Anyhow, thanks again. I'll also post this comments on the JIRA issue
> in case you miss this thread...
>

Message received on JIRA, also responding here:

It is used but the token does not have to be the user name. I agree,  
it would be better to create a generated token with no meaning.  
Regardless the tokens will only live for 30 seconds.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: "Create new servlet session upon login" Feature

Posted by Aaron Evans <aa...@gmail.com>.

Hi David,

I tried this out and it seems to do what I want, so thanks very much.
Sorry to take so long to actually use a feature that I requested!

One question though:

In the LoginProxyServlet, you redirect to:

"/login/redirector?token=" + token.getToken() where the token value is
the username-timestamp.

Is this token request parameter used later on in the chain? It doesn't
seem to affect the behavior of the authentication mechanism or the
security valve.

The reason I ask is if it is informational only, I'd suggest removing
it.  In my case, it stays visible for a second or two while our
dashboard loads and it just seems weird to see the username in the
URL.

Anyhow, obviously not a big deal provided it isn't a security issue
(and I'm pretty sure it is not since I tried doing some basic URL
manipulation).

Anyhow, thanks again. I'll also post this comments on the JIRA issue
in case you miss this thread...

-aaron

On Tue, Sep 23, 2008 at 6:01 PM, David Sean Taylor
<da...@bluesunrise.com> wrote:
> On Sep 23, 2008, at 10:59 AM, Aaron Evans wrote:
>
>> Does anyone know how to configure this feature?
>>
>> https://issues.apache.org/jira/browse/JS2-712
>>
>> Basically, it makes it so that if a client browser re-posts to the
>> login URI with some different credentials, the old session is turfed
>> and a new one created...
>>
>> thanks in advance,
>> aaron
>>
>
> JS2-712 has been available since 2.1.2.
> Its configured in administration.xml, see constructor argument 0, defaulted
> to false. You will need to set it to true
>
> <bean
> id='org.apache.jetspeed.administration.PortalAuthenticationConfiguration'
>
>  class='org.apache.jetspeed.administration.PortalAuthenticationConfigurationImpl'>
>
>   <!--  create new session upon authentication -->
>   <constructor-arg index='0'>
>                <value>false</value>
>   </constructor-arg>
>   <!--  hard session timeout limit in seconds, regardless of (in)activity,
> setting to 0 turns off this feature
>                 note:this feature should be used with 'create new session
> upon authentication' feature
>   -->
>   <constructor-arg index='1'>
>                <value>0</value>
>   </constructor-arg>
>   <!--  redirect location for hard session expiration -->
>   <constructor-arg index='2'>
>                <value>/login/logout</value>
>   </constructor-arg>
> </bean>
>
> Give it a try and let me know if that is what you need. I didn't seem to
> close the issue upon completing it
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: "Create new servlet session upon login" Feature

Posted by David Sean Taylor <da...@bluesunrise.com>.

On Sep 23, 2008, at 10:59 AM, Aaron Evans wrote:

> Does anyone know how to configure this feature?
>
> https://issues.apache.org/jira/browse/JS2-712
>
> Basically, it makes it so that if a client browser re-posts to the
> login URI with some different credentials, the old session is turfed
> and a new one created...
>
> thanks in advance,
> aaron
>

JS2-712 has been available since 2.1.2.
Its configured in administration.xml, see constructor argument 0,  
defaulted to false. You will need to set it to true

<bean  
id 
='org.apache.jetspeed.administration.PortalAuthenticationConfiguration'
	 
class 
= 
'org 
.apache.jetspeed.administration.PortalAuthenticationConfigurationImpl'>

    <!--  create new session upon authentication -->
    <constructor-arg index='0'>
    		<value>false</value>
    </constructor-arg>	
    <!--  hard session timeout limit in seconds, regardless of  
(in)activity, setting to 0 turns off this feature
    		 note:this feature should be used with 'create new session upon  
authentication' feature
    -->
    <constructor-arg index='1'>
    		<value>0</value>
    </constructor-arg>
    <!--  redirect location for hard session expiration -->
    <constructor-arg index='2'>
    		<value>/login/logout</value>
    </constructor-arg>
</bean>

Give it a try and let me know if that is what you need. I didn't seem  
to close the issue upon completing it


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org