fixed bug 38079: row created in ad_session opening openbravo base url
authorAsier Lostalé <asier.lostale@openbravo.com>
Thu, 08 Mar 2018 12:43:49 +0100
changeset 33656 6d6a3a710fd2
parent 33655 47ea594cdcbb
child 33657 cbec1a26a9f4
fixed bug 38079: row created in ad_session opening openbravo base url

When serving index.jsp after having served login page in the same browser a
new row in ad_session was created.

Login page creates a new HttpSession without corresponding ad_session row,
index.jsp detected this session and invoked AutenticationManager's authenticate
method wihtout user/password creating in this flow that row. Authenticate is
invoked for the case a valid session is already present.

This case is now covered by ensuring in case there is a HttpSession it also
has an ad_session before invoking authenticate. If HttpSession is present but
there is no ad_session, the flow stops.
src/index.jsp
--- a/src/index.jsp	Thu Mar 08 15:45:10 2018 +0000
+++ b/src/index.jsp	Thu Mar 08 12:43:49 2018 +0100
@@ -39,7 +39,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2011-2017 Openbravo SLU
+ * All portions are Copyright (C) 2011-2018 Openbravo SLU
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -48,9 +48,10 @@
 Logger log = Logger.getLogger(org.openbravo.authentication.AuthenticationManager.class); 
 
 HttpSession currentSession = request.getSession(false);
+boolean adSessionPresent = currentSession != null && currentSession.getAttribute("#AD_SESSION_ID") != null;
 
 AuthenticationManager authManager = AuthenticationManager.getAuthenticationManager(this);
-if (currentSession == null) {
+if (!adSessionPresent) {
   response.sendRedirect(authManager.getLoginURL(request));
   return;
 }