Merge branch 'bugfix/autologin-logout-6461'

fixes #6461
This commit is contained in:
Marius Hein 2014-07-29 11:13:42 +02:00
commit 8f85a66e13
3 changed files with 16 additions and 65 deletions

View File

@ -14,6 +14,7 @@ use Icinga\Exception\AuthenticationException;
use Icinga\Exception\NotReadableError; use Icinga\Exception\NotReadableError;
use Icinga\Exception\ConfigurationError; use Icinga\Exception\ConfigurationError;
use Icinga\User; use Icinga\User;
use Icinga\Web\Session;
use Icinga\Web\Url; use Icinga\Web\Url;
/** /**
@ -67,6 +68,9 @@ class AuthenticationController extends ActionController
$authenticated = $backend->authenticate($user); $authenticated = $backend->authenticate($user);
if ($authenticated === true) { if ($authenticated === true) {
$auth->setAuthenticated($user); $auth->setAuthenticated($user);
$session = Session::getSession()->getNamespace('authentication');
$session->set('is_remote_user', true);
$session->write();
$this->rerenderLayout()->redirectNow($redirectUrl); $this->rerenderLayout()->redirectNow($redirectUrl);
} }
} }
@ -131,9 +135,12 @@ class AuthenticationController extends ActionController
public function logoutAction() public function logoutAction()
{ {
$auth = $this->Auth(); $auth = $this->Auth();
$session = Session::getSession()->getNamespace('authentication');
$auth->removeAuthorization(); $auth->removeAuthorization();
if ($auth->isAuthenticatedFromRemoteUser()) { if ($session->get('is_remote_user', false) === true) {
$this->_helper->layout->setLayout('login'); $this->_helper->layout->setLayout('login');
$this->_response->setHttpResponseCode(401); $this->_response->setHttpResponseCode(401);
} else { } else {

View File

@ -7,10 +7,7 @@
in every further request until the browser was closed. To allow logout and to allow the user to change the in every further request until the browser was closed. To allow logout and to allow the user to change the
logged-in user this JavaScript provides a workaround to force a new authentication prompt in most browsers. logged-in user this JavaScript provides a workaround to force a new authentication prompt in most browsers.
--> -->
<div class="content">
<div class="row">
<br/>
<div class="md-offset-3 col-md-6 col-sm-6 col-sm-offset-3">
<div class="alert alert-warning" id="logout-status"> <div class="alert alert-warning" id="logout-status">
<b> <?= t('Logging out...'); ?> </b> <br /> <b> <?= t('Logging out...'); ?> </b> <br />
<?= t( <?= t(
@ -19,37 +16,19 @@
'browser session.' 'browser session.'
); ?> ); ?>
</div> </div>
</div>
</div>
<div class="row">
<div class="col-md-4 col-md-offset-4 col-sm-6 col-sm-offset-3">
<div class="container" > <div class="container" >
<a class="button btn btn-cta form-control input-sm" href="<?= $this->href('dashboard/index'); ?>"> <?= t('Login'); ?></a> <a href="<?= $this->href('dashboard/index'); ?>"> <?= t('Login'); ?></a>
</div> </div>
</div> </div>
</div>
<script type="text/javascript"> <script type="text/javascript">
/** /**
* When JavaScript is available, trigger an XmlHTTPRequest with the non-existing user 'logout' and abort it * When JavaScript is available, trigger an XmlHTTPRequest with the non-existing user 'logout' and abort it
* before it is able to finish. This will cause the browser to show a new authentication prompt in the next * before it is able to finish. This will cause the browser to show a new authentication prompt in the next
* request. * request.
*/ */
window.onload = function () { $(document).ready(function() {
function getXMLHttpRequest() { msg = $('#logout-status');
var xmlhttp = null;
try {
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
} else if (window.ActiveXObject) {
xmlhttp = new ActiveXObject('Microsoft.XMLHTTP');
}
} catch (e) {}
return xmlhttp;
}
var msg = document.getElementById('logout-status');
try { try {
if (navigator.userAgent.toLowerCase().indexOf('msie') !== -1) { if (navigator.userAgent.toLowerCase().indexOf('msie') !== -1) {
document.execCommand('ClearAuthenticationCache'); document.execCommand('ClearAuthenticationCache');
@ -60,13 +39,9 @@
xhttp.abort(); xhttp.abort();
} }
} catch (e) { } catch (e) {
msg.innerHTML = '<?= t(
'Logout not possible, it may be necessary to quit the session manually ' .
'by clearing the cache, or closing the current browser session. Error: '
);?>' + ': ' + e.getMessage() ;
msg.setAttribute('class', 'alert alert-danger');
} }
msg.innerHTML = '<?= t('Logout successful!'); ?>'; msg.html('<?= t('Logout successful!'); ?>');
msg.setAttribute('class', 'alert alert-success'); msg.removeClass();
}; msg.addClass('alert alert-success');
});
</script> </script>

View File

@ -204,35 +204,4 @@ class Manager
{ {
return $this->user->getGroups(); return $this->user->getGroups();
} }
/**
* Tries to authenticate the user from the session, and then from the REMOTE_USER superglobal, that can be set by
* an external authentication provider.
*/
public function authenticateFromRemoteUser()
{
if (array_key_exists('REMOTE_USER', $_SERVER)) {
$this->fromRemoteUser = true;
}
$this->authenticateFromSession();
if ($this->user !== null) {
if (array_key_exists('REMOTE_USER', $_SERVER) && $this->user->getUsername() !== $_SERVER["REMOTE_USER"]) {
// Remote user has changed, clear all sessions
$this->removeAuthorization();
}
return;
}
if (array_key_exists('REMOTE_USER', $_SERVER) && $_SERVER["REMOTE_USER"]) {
$this->user = new User($_SERVER["REMOTE_USER"]);
$this->persistCurrentUser();
}
}
/**
* If the session was established from the REMOTE_USER server variable.
*/
public function isAuthenticatedFromRemoteUser()
{
return $this->fromRemoteUser;
}
} }