Jetspeed 2
  1. Jetspeed 2
  2. JS2-712

Create new servlet session upon login (configurable)

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2
    • Fix Version/s: 2.1.2
    • Component/s: Security
    • Labels:
      None

      Description

      Create new servlet session upon login. In 2.1, the guest session is continued when the user authenticates, which is a valid use-case such as an e-commerce portal which allows users to delay their login but still create a shopping cart before logging in, and then carrying over the session state to the logged user. This enhancement will make the "creation of new session event" configurable in the Spring configuration. The default behavior will still be to not create a new session.

        Activity

        Hide
        Aaron Evans added a comment -

        I tried this out and it seems to do what I want, so thanks very much. Sorry to take so long to actually use a feature that I requested!

        One question though:

        In the LoginProxyServlet, you redirect to:

        "/login/redirector?token=" + token.getToken() where the token value is the username-timestamp.

        Is this token request parameter used later on in the chain? It doesn't seem to affect the behavior of the authentication mechanism or the security valve.

        The reason I ask is if it is informational only, I'd suggest removing it. In my case, it stays visible for a second or two while our dashboard loads and it just seems weird to see the username in the URL.

        Anyhow, obviously not a big deal provided it isn't a security issue (and I'm pretty sure it is not since I tried doing some basic URL manipulation).

        Anyhow, thanks again.

        -aaron

        Show
        Aaron Evans added a comment - I tried this out and it seems to do what I want, so thanks very much. Sorry to take so long to actually use a feature that I requested! One question though: In the LoginProxyServlet, you redirect to: "/login/redirector?token=" + token.getToken() where the token value is the username-timestamp. Is this token request parameter used later on in the chain? It doesn't seem to affect the behavior of the authentication mechanism or the security valve. The reason I ask is if it is informational only, I'd suggest removing it. In my case, it stays visible for a second or two while our dashboard loads and it just seems weird to see the username in the URL. Anyhow, obviously not a big deal provided it isn't a security issue (and I'm pretty sure it is not since I tried doing some basic URL manipulation). Anyhow, thanks again. -aaron
        Hide
        David Sean Taylor added a comment -

        It is used but the token does not have to be the user name. I agree, it would be better to create a generated token with no meaning. Regardless the tokens will only live for 30 seconds.

        Show
        David Sean Taylor added a comment - It is used but the token does not have to be the user name. I agree, it would be better to create a generated token with no meaning. Regardless the tokens will only live for 30 seconds.

          People

          • Assignee:
            David Sean Taylor
            Reporter:
            David Sean Taylor
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development