Ravi Nori has posted comments on this change.
Change subject: restapi : don't set jsessionid cookie when authentication
fails(#927140)
......................................................................
Patch Set 2: (2 inline comments)
....................................................
File
backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java
Line 168
Line 169
Line 170
Line 171
Line 172
If we create a new session before authentication succeeds the jsession id will
be returned to the user even if authentication fails. I could not find a way to
remove jsession id from a new session on authentication failure.
Line 169: /*
Line 170: * This method executes the basic authentication, and returns
true whether it was successful and false otherwise.
Line 171: * It also sets the logged-in principal and the challenger object
in the Current object
Line 172: */
Line 173: private boolean executeBasicAuthentication(HttpHeaders headers,
String engineSessionId, boolean preferPersistentAuth) {
Hi Michael, it is being passed to validator.validate(principal,
engineSessionId) I will take a look at how it is used.
Line 174: boolean successful = false;
Line 175: List<String> auth =
headers.getRequestHeader(HttpHeaders.AUTHORIZATION);
Line 176: if (auth != null && auth.size() != 0) {
Line 177: Principal principal = scheme.decode(headers);
--
To view, visit http://gerrit.ovirt.org/13371
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I84907ab56e99ebb875124f42345d691edad3cdbe
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Ravi Nori <rn...@redhat.com>
Gerrit-Reviewer: Michael Pasternak <mpast...@redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com>
Gerrit-Reviewer: Ravi Nori <rn...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
