Can alfresco webscripts still be called after session time out?
https://stackoverflow.com//questions/12685236
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What I am doing is I set both alfresco and share to session time out time 60 minutes in their web.xml file.
My scenario is
- When I want to start a workflow in Start Workflow page, I fill all necessary data but do not click "Start Workflow" button.
- After session time out, I click this "Start Workflow" button.
- At the first time, authentication box opens and request for username and password.
- I filled user name and password of another user.
- It starts a workflow with the authenticated another user.
- Other times for session timeout, it does not request authentication box, but acts for previously requested authenticated user.
So I think Why does it happen??? Is it because of cookie??
Currently there are four cookies used, namely alfLogin, alfUsername2, JSSESSIONID, _alfTest. Only when user is logged out, alfUsername2 cookie is deleted and others are remained.alfLogin and alfUsername2 cookies' expire time is 7 days and other cookie are depends on session.
Can alfresco web script still be used after session timeout? If so, how can I avoid this condition?
Solution
Although I have to answer my own question, I just want to share my result. I have to trace much. But answer is so simple.
Firstly, it is not because of cookie.
This answer is not only just for clicking "Start Workflow" button but also calling alfresco webscript after session time out in share.
All calling to alfresco webscript is done by EndPointProxyController specifically org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController in spring-webscripts-1.0.0-sources.jar.
In handleRequestInternal method if there is no session and basicHttpAuthChallenge is true, basic authentication box is shown as below.
else if (this.basicHttpAuthChallenge || descriptor.getBasicAuth())
{
// check for HTTP authorisation request (i.e. RSS feeds, direct links etc.)
String authorization = req.getHeader("Authorization");
if (authorization == null || authorization.length() == 0)
{
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED,
"No USER_ID found in session and requested endpoint requires authentication.");
res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
// no further processing as authentication is required but not provided
// the browser will now prompt the user for appropriate credentials
return null;
}
else
{
// other coding
}
We can avoid this condition as
in
endpointControllerof slingshot-application-context.xml, change basicHttpAuthChallenge to false.
Like
<!-- Override EndPointProxyController to enable Basic HTTP auth challenge on 401 response -->
<bean id="endpointController" class="org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController">
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader"><value>true</value></property>
<property name="useCacheControlHeader"><value>true</value></property>
<property name="configService" ref="web.config" />
<property name="connectorService" ref="connector.service" />
<property name="supportedMethods"><null/></property>
<property name="basicHttpAuthChallenge"><value>false</value></property>
</bean>
