Hi list and Alkacon staff,<br>
<br>
We've found a solution we want to share for the following problem already posted in the list:<br>
<br>
Problem description:<br>
After installing OpenCms 6.2.2 (or 6.2.X for that matter) into OC4J
10.1.3, with jdk 1.5, the workplace window could never be shown.
Despite being correctly indentified and logged, the popup where OpenCms
tried to open the workplace kept showing the login page again and again.<br>
<br>
More info on the problem:<br>
After a successful indentification process, whenever the system tried
to display the workplace view a
org.opencms.security.CmsPermissionViolationException was raised due to
the system considering the current user was not the user you just
logged in but the default guest user who has no permission to access
the workplace (and that led to the login page again). How the system
forget who just logged in is a matter of sessions and its invalidation,
and apparently differs from Tomcat to OC4J.<br>
<br>
The solution has 2 steps:<br>
1.- You need to make a new session be created when the user requests
the login page. This can be done in several ways. A couple of them are<br>
a) Modifying the OpenCms code to insert a
"request.getSession(true)" line before you get the login page. This can
be done for instance inserting something like this into
org.opencms.main.OpenCmsCore, in the function "showResource(req,res)",
after initializing the resource and before checking if it's null:<br>
if(
"/system/login/index.html".equals( cms.getRequestContext().getUri() ) )
{<br>
// if we ask for the login page, we generate a new
empty session<br>
req.getSession( true );<br>
}<br>
b) Creating a simple jsp that accesses the session
(either checking its id or again ejecuting "request.getSession(true)")
and later redirects to the actual login page and forcing this jsp as
the startup page for login in.<br>
2.- The session invalidation process at org.opencms.jsp.CmsJspLoginBean
must be changed from an invalidation to a simple cleaning of attributes
that simulates the impossibility of accessing session values. The
modified code would look like this:<br>
//
make sure we have a new session after login for security reasons<br>
// Commented code begins<br>
/*<br>
session = getRequest().getSession(true);<br>
if (session != null) {<br>
session.invalidate();<br>
}<br>
*/<br>
//Commented code ends<br>
session = getRequest().getSession(true);<br>
/* New code */<br>
//
we remove the session attributes, making an alternate session
invalidation<br>
java.util.Enumeration attributes = session.getAttributeNames();<br>
while( attributes.hasMoreElements() ) {<br>
session.removeAttribute( (String)
attributes.nextElement() );<br>
}<br>
/* New code ends */<br>
<br>
With this changes made, we managed to get the system working. This
solution was found by a skilled programmer and systems administration
called Paco Mesa. We tested it in Firefox and IE, and both in OC4J
10.1.3 and Tomcat 5 and it works correctly.<br>
<br>
We hope this solution is useful to OpenCms developers and that Alkacon
staff consider including this or any equivalent solution into a future
release of OpenCms that could be used by more users.<br>
<br>
Greetings,<br>
<br>
Nacho.<br>