fixed bug 39919: session leaked after password reset from login window
authorAsier Lostalé <asier.lostale@openbravo.com>
Fri, 11 Jan 2019 09:54:50 +0100
changeset 35309 9a417375877c
parent 35308 3ba9aeac5440
child 35310 0c885bc2fcec
fixed bug 39919: session leaked after password reset from login window

When password was detected to be expired in login process a new active session
was created, after resetting the password, this session was leaked and a new
one was created.

Now login process creates an inactive failed session when password is expired.
src/org/openbravo/authentication/AuthenticationManager.java
src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
--- a/src/org/openbravo/authentication/AuthenticationManager.java	Thu Jan 10 12:24:54 2019 +0100
+++ b/src/org/openbravo/authentication/AuthenticationManager.java	Fri Jan 11 09:54:50 2019 +0100
@@ -1,6 +1,6 @@
 /*
  ************************************************************************************
- * Copyright (C) 2001-2018 Openbravo S.L.U.
+ * Copyright (C) 2001-2019 Openbravo S.L.U.
  * Licensed under the Apache Software License version 2.0
  * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
  * Unless required by applicable law or agreed to  in writing,  software  distributed
@@ -62,7 +62,7 @@
   private static final String SUCCESS_SESSION_WEB_SERVICE = "WS";
   private static final String REJECTED_SESSION_WEB_SERVICE = "WSR";
   private static final String SUCCESS_SESSION_CONNECTOR = "WSC";
-  private static final String FAILED_SESSION = "F";
+  protected static final String FAILED_SESSION = "F";
 
   protected static final String LOGIN_PARAM = "user";
   protected static final String PASSWORD_PARAM = "password";
--- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Thu Jan 10 12:24:54 2019 +0100
+++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java	Fri Jan 11 09:54:50 2019 +0100
@@ -1,6 +1,6 @@
 /*
  ************************************************************************************
- * Copyright (C) 2001-2017 Openbravo S.L.U.
+ * Copyright (C) 2001-2019 Openbravo S.L.U.
  * Licensed under the Apache Software License version 2.0
  * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
  * Unless required by applicable law or agreed to  in writing,  software  distributed
@@ -149,7 +149,12 @@
 
     vars.setSessionValue("#AD_User_ID", userId);
 
-    checkIfPasswordExpired(userId, variables.getLanguage());
+    try {
+      checkIfPasswordExpired(userId, variables.getLanguage());
+    } catch (AuthenticationExpirationPasswordException e) {
+      updateDBSession(sessionId, false, FAILED_SESSION);
+      throw e;
+    }
 
     // Using the Servlet API instead of vars.setSessionValue to avoid breaking code
     // vars.setSessionValue always transform the key to upper-case