dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 5627: updated to spring 3.1 xsds in security.xml, also set default session timeout to 1 hour to handle ...

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 27 Dec 2011 13:27:14 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 5627
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2011-12-27 14:25:50 +0100
message:
  updated to spring 3.1 xsds in security.xml, also set default session timeout to 1 hour to handle mobile client where datainput can take some time (and data is lost if the session times out)
modified:
  dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/DefaultAuthenticationSuccessHandler.java
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml	2011-07-02 11:06:16 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml	2011-12-27 13:25:50 +0000
@@ -1,9 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-  xmlns:aop="http://www.springframework.org/schema/aop"; xmlns:sec="http://www.springframework.org/schema/security";
-  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
-      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
+  xmlns:sec="http://www.springframework.org/schema/security";
+  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd";>
 
   <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
   <bean id="usernameSaltSource" class="org.hisp.dhis.security.DefaultUsernameSaltSource" />

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/DefaultAuthenticationSuccessHandler.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/DefaultAuthenticationSuccessHandler.java	2011-12-26 10:07:59 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/DefaultAuthenticationSuccessHandler.java	2011-12-27 13:25:50 +0000
@@ -27,32 +27,40 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import java.io.IOException;
+import org.hisp.dhis.security.intercept.LoginInterceptor;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
-import org.hisp.dhis.security.intercept.LoginInterceptor;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
 
 /**
  * Since ActionContext is not available at this point, we set a mark in the
  * session that signales that login has just occured, and that LoginInterceptor
  * should be run.
- * 
+ *
  * @author mortenoh
  */
 public class DefaultAuthenticationSuccessHandler
     extends SavedRequestAwareAuthenticationSuccessHandler
 {
+    // default is 1 hour of inactivity, this is mostly for when we are using the mobile
+    // client, since entering data can take time, and data will be lost of the session
+    // times out while entering data.
+    public static int DEFAULT_SESSION_TIMEOUT = 60 * 60;
+
     @Override
     public void onAuthenticationSuccess( HttpServletRequest request, HttpServletResponse response,
-        Authentication authentication )
+                                         Authentication authentication )
         throws ServletException, IOException
     {
-        request.getSession().setAttribute( LoginInterceptor.JLI_SESSION_VARIABLE, Boolean.TRUE );
+        HttpSession session = request.getSession();
+
+        session.setAttribute( LoginInterceptor.JLI_SESSION_VARIABLE, Boolean.TRUE );
+        session.setMaxInactiveInterval( DefaultAuthenticationSuccessHandler.DEFAULT_SESSION_TIMEOUT );
 
         super.onAuthenticationSuccess( request, response, authentication );
     }

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2011-12-23 12:21:18 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2011-12-27 13:25:50 +0000
@@ -2,8 +2,8 @@
 <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security";
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
        xsi:schemaLocation="
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd";>
 
   <bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy">
     <property name="redirectMap">
@@ -35,10 +35,10 @@
     <sec:intercept-url pattern="/dhis-web-commons/javascripts/**" filters="none" />
     <sec:intercept-url pattern="/dhis-web-commons/css/**" filters="none" />
     <sec:intercept-url pattern="/favicon.ico" filters="none" />
-<!--
-    <sec:intercept-url pattern="/api*" access="hasRole('F_WEBAPI_READ')" />
-    <sec:intercept-url pattern="/api/**" access="hasRole('F_WEBAPI_READ')" />
--->
+    <!--
+        <sec:intercept-url pattern="/api*" access="hasRole('F_WEBAPI_READ')" />
+        <sec:intercept-url pattern="/api/**" access="hasRole('F_WEBAPI_READ')" />
+    -->
     <sec:intercept-url pattern="/**" access="isAuthenticated()" />
 
     <sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" />