[opencms-dev] SOLVED: OC4J 10.1.3 Login Problem
Shi Yusen
shiys at langhua.cn
Thu Sep 14 14:32:57 CEST 2006
Hi Nacho,
It's strange. My current 2 projects are both on JDK 1.5.x + OpenCms 6.2.1 + Apache 2.0.x + jBoss 4.0.4 + Oracle 10g. I don't see the problem you mentioned. I cann't believe it. Are you sure it's not caused by some of your special configurations?
Regards
Shi Yusen/Beijing Langhua Ltd.
--------------------------------------------------------------
Tel: 86-10-88514088, 88514099
Fax: 86-10-88514099
Email: shiys at langhua.cn
Website: http://www.langhua.cn/
--------------------------------------------------------------
________________________________________
发件人: opencms-dev-bounces at opencms.org [mailto:opencms-dev-bounces at opencms.org] 代表 Nacho Fernandez
发送时间: 2006年9月14日 20:07
收件人: The OpenCms mailing list
主题: [opencms-dev] SOLVED: OC4J 10.1.3 Login Problem
Hi list and Alkacon staff,
We've found a solution we want to share for the following problem already posted in the list:
Problem description:
After installing OpenCms 6.2.2 (or 6.2.X for that matter) into OC4J 10.1.3, with jdk 1.5, the workplace window could never be shown. Despite being correctly indentified and logged, the popup where OpenCms tried to open the workplace kept showing the login page again and again.
More info on the problem:
After a successful indentification process, whenever the system tried to display the workplace view a org.opencms.security.CmsPermissionViolationException was raised due to the system considering the current user was not the user you just logged in but the default guest user who has no permission to access the workplace (and that led to the login page again). How the system forget who just logged in is a matter of sessions and its invalidation, and apparently differs from Tomcat to OC4J.
The solution has 2 steps:
1.- You need to make a new session be created when the user requests the login page. This can be done in several ways. A couple of them are
a) Modifying the OpenCms code to insert a "request.getSession(true)" line before you get the login page. This can be done for instance inserting something like this into org.opencms.main.OpenCmsCore, in the function "showResource(req,res)", after initializing the resource and before checking if it's null:
if( "/system/login/index.html".equals( cms.getRequestContext().getUri() ) ) {
// if we ask for the login page, we generate a new empty session
req.getSession( true );
}
b) Creating a simple jsp that accesses the session (either checking its id or again ejecuting "request.getSession(true)") and later redirects to the actual login page and forcing this jsp as the startup page for login in.
2.- The session invalidation process at org.opencms.jsp.CmsJspLoginBean must be changed from an invalidation to a simple cleaning of attributes that simulates the impossibility of accessing session values. The modified code would look like this:
// make sure we have a new session after login for security reasons
// Commented code begins
/*
session = getRequest().getSession(true);
if (session != null) {
session.invalidate();
}
*/
//Commented code ends
session = getRequest().getSession(true);
/* New code */
// we remove the session attributes, making an alternate session invalidation
java.util.Enumeration attributes = session.getAttributeNames();
while( attributes.hasMoreElements() ) {
session.removeAttribute( (String) attributes.nextElement() );
}
/* New code ends */
With this changes made, we managed to get the system working. This solution was found by a skilled programmer and systems administration called Paco Mesa. We tested it in Firefox and IE, and both in OC4J 10.1.3 and Tomcat 5 and it works correctly.
We hope this solution is useful to OpenCms developers and that Alkacon staff consider including this or any equivalent solution into a future release of OpenCms that could be used by more users.
Greetings,
Nacho.
More information about the opencms-dev
mailing list