[ofbiz-framework] branch trunk updated: Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d60bf15  Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on 
non-authentication pages (OFBIZ-12047)
d60bf15 is described below

commit d60bf1574bbf49aa99b0358b2b4a45a0fec71717
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Feb 13 12:29:02 2021 +0100

    Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication 
pages (OFBIZ-12047)
    
    After some small study, it seem there is a problem because login request not
    require authentication
    
    I have tried to add a test to check if current request is login and only if 
it's
    not to remove PREVIOUS_REQUEST Session Attribute, it seem better with this
    modification.
    
    Thanks: Olivier for the patch and Michael for suggesting to parameterize 
using
    a property. I simply used EntityUtilProperties.getPropertyValue instead of
    UtilProperties.getPropertyValue
---
 framework/security/config/security.properties               |  6 +++++-
 .../org/apache/ofbiz/webapp/control/RequestHandler.java     | 13 +++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 702971a..2981e11 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -232,4 +232,8 @@ allowAllUploads=
 #-- Popup last-visited time from database after user has logged in.
 #-- So users can know of any unauthorised access to their accounts.
 #-- Default is true.
-afterlogin.lastvisit.show=
\ No newline at end of file
+afterlogin.lastvisit.show=
+
+#-- uri used for login (cf jira OFBIZ-12047)
+#-- it's a list, each uri should be separated by comma, without space
+login.uris=login
\ No newline at end of file
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 6b2c08a..46ed743 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -630,8 +630,17 @@ public final class RequestHandler {
                 }
             }
         } else {
-            // Remove previous request attribute on navigation to 
non-authenticated request
-            request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            String[] loginUris = 
EntityUtilProperties.getPropertyValue("security", "login.uris", 
delegator).split(",");
+            boolean removePreviousRequest = true;
+            for (int i = 0; i < loginUris.length; i++) {
+                if (requestUri.equals(loginUris[i])) {
+                    removePreviousRequest = false;
+                }
+            }
+            if (removePreviousRequest) {
+                // Remove previous request attribute on navigation to 
non-authenticated request
+                request.getSession().removeAttribute("_PREVIOUS_REQUEST_");
+            }
         }
 
         if (request.getAttribute("targetRequestUri") == null) {