[opencms-dev] SOLVED: OC4J 10.1.3 Login Problem

[Nacho Fernandez]

Hi list and Alkacon staff,

We've found a solution we want to share for the following problem already
posted in the list:

Problem description:
After installing OpenCms 6.2.2 (or 6.2.X for that matter) into OC4J 10.1.3,
with jdk 1.5, the workplace window could never be shown. Despite being
correctly indentified and logged, the popup where OpenCms tried to open the
workplace kept showing the login page again and again.

More info on the problem:
After a successful indentification process, whenever the system tried to
display the workplace view a
org.opencms.security.CmsPermissionViolationException was raised due to the
system considering the current user was not the user you just logged in but
the default guest user who has no permission to access the workplace (and
that led to the login page again). How the system forget who just logged in
is a matter of sessions and its invalidation, and apparently differs from
Tomcat to OC4J.

The solution has 2 steps:
1.- You need to make a new session be created when the user requests the
login page. This can be done in several ways. A couple of them are
    a) Modifying the OpenCms code to insert a "request.getSession(true)"
line before you get the login page. This can be done for instance inserting
something like this into org.opencms.main.OpenCmsCore, in the function
"showResource(req,res)", after initializing the resource and before checking
if it's null:
           if( "/system/login/index.html".equals(
cms.getRequestContext().getUri()
) ) {
                // if we ask for the login page, we generate a new empty
session
                req.getSession( true );
            }
    b) Creating a simple jsp that accesses the session (either checking its
id or again ejecuting "request.getSession(true)") and later redirects to the
actual login page and forcing this jsp as the startup page for login in.
2.- The session invalidation process at org.opencms.jsp.CmsJspLoginBean must
be changed from an invalidation to a simple cleaning of attributes that
simulates the impossibility of accessing session values. The modified code
would look like this:
            // make sure we have a new session after login for security
reasons
            // Commented code begins
            /*
            session = getRequest().getSession(true);
            if (session != null) {
                session.invalidate();
            }
             */
            //Commented code ends
            session = getRequest().getSession(true);
            /* New code */
            // we remove the session attributes, making an alternate session
invalidation
            java.util.Enumeration attributes = session.getAttributeNames();
            while( attributes.hasMoreElements() ) {
                session.removeAttribute( (String) attributes.nextElement()
);
            }
            /* New code ends */

With this changes made, we managed to get the system working. This solution
was found by a skilled programmer and systems administration called Paco
Mesa. We tested it in Firefox and IE, and both in OC4J 10.1.3 and Tomcat 5
and it works correctly.

We hope this solution is useful to OpenCms developers and that Alkacon staff
consider including this or any equivalent solution into a future release of
OpenCms that could be used by more users.

Greetings,

Nacho.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20060914/2554cef2/attachment.htm>