- Timestamp:
- 2020-04-16T08:03:25+12:00 (4 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java
r33993 r34103 93 93 protected Hashtable<String, UserTimer> verifiedUserMap = null; 94 94 // timeouts are in millisecs 95 // this is for if we have verify=once set in collectionConfig - the user will stay 96 // verified for 24 hours 95 97 protected static final int verifiedUserTimeout = 24 * 60 * 60 * 1000; 96 protected static final int tempUserTimeout = 5 * 1000; 98 // this is a per document timeout - Chrome may make several requests to fetch a fastview pdf, 99 // plus another one if the user clicks download. Need to keep a record for a verified document 100 // so it can be fuly viewed and downloaded - get a network error if end up back at verification page. 101 // the user stays verified for the document for 2 hours. 102 protected static final int tempUserTimeout = 2 * 60 * 60 * 1000; 97 103 98 104 public void init(FilterConfig filterConfig) throws ServletException … … 125 131 // this is the part before the ? 126 132 String url = hRequest.getRequestURI().toString(); 127 if (isURLRestricted(url)) {133 if (isURLRestricted(url)) { 128 134 129 135 // TODO - should we make this a proper HTML page? … … 131 137 return; 132 138 } 133 139 140 134 141 // Run security checks on files requested from a collection's index/assoc folder 135 142 if (url.contains(ASSOCIATED_FILE_PATH)) { … … 427 434 String session_id = session.getId(); 428 435 ServletContext context = session.getServletContext(); 429 logger.info("securityCheck, session id = "+session_id+", url = "+url); 436 430 437 // now we need to get library name from the path, which is like 431 438 // /greenstone3/library/sites/localsite/collect/collname/index/assoc/... … … 442 449 443 450 if (gsRouter == null) { 444 logger.error(" Receptionistis null, stopping filter");451 logger.error("MR is null, stopping filter"); 445 452 return; 446 453 } … … 536 543 Element metadata_list = (Element)meta_response.getElementsByTagName(GSXML.METADATA_ELEM+GSXML.LIST_MODIFIER).item(0); 537 544 String srcdoc = GSXML.getMetadataValue(metadata_list, "srclinkFile"); 538 if (!srcdoc.equals(file_name)) { 545 //logger.debug("srcdoc="+srcdoc+", filename="+file_name+", %20 decoded filename="+file_name.replaceAll("\\%20|\\+", " ")); 546 // If file_name is the main file for the document, then it will == srcdoc. Both of these are URL encoded, with the exception of spaces. Spaces will be encoded in file_name, but are not encoded in srcdoc. So need to decode those and check again. 547 // srcdoc.equals(java.net.URLDecoder.decode(file_name, "UTF-8")) - this didn't work as both are URLEncoded except for spaces 548 if (!srcdoc.equals(file_name) && !srcdoc.equals(file_name.replaceAll("\\%20|\\+", " "))){ 539 549 // the specified file is just a supporting file, not the main file. 540 550 // eg an image in an html doc. … … 573 583 // we are asking for the main document, and we have been asked to verify the user 574 584 // have we done the test previously? 585 String verify_map_key = session_id + ":"+collection; 586 String verify_map_doc_key = verify_map_key + ":" + file_name; 575 587 boolean already_verified = false; 576 588 String hmvf_response = request.getParameter(GSParams.VERIFIED); … … 578 590 // manually force the t&c (user has added hmvf=0 to url) 579 591 // whether we have previously verified or not 580 } else if (verifiedUserMap.containsKey( session_id)) {592 } else if (verifiedUserMap.containsKey(verify_map_key) || verifiedUserMap.containsKey(verify_map_doc_key)) { 581 593 already_verified = true; 582 594 } … … 592 604 if (result == Authentication.NO_ERROR) { 593 605 already_verified = true; 594 595 606 } else { 596 607 logger.error("something went wrong with recaptcha, error="+result); … … 601 612 return; 602 613 } 603 604 605 606 614 } 607 615 already_verified = true; 608 616 // set up a timer for this verification - standard 24hour if 609 // verify==once, 5 secotherwise (browsers seem to be trying to617 // verify==once, short, doc specific one otherwise (browsers seem to be trying to 610 618 // download prfs twice. Chrome gets stuck if the second time 611 // doesn't get verified) 619 // doesn't get verified. Also Chrome sends a second request if the 620 // user tries to download the document after viewing it. ) 612 621 int delay; 622 String this_key; 613 623 if (verify.equals("once")) { 614 624 delay = verifiedUserTimeout; 625 this_key = verify_map_key; 615 626 } else { 616 627 delay = tempUserTimeout; 628 this_key = verify_map_doc_key; 617 629 } 618 UserTimer timer = new UserTimer(delay, session_id);619 verifiedUserMap.put( session_id, timer);630 UserTimer timer = new UserTimer(delay, this_key); 631 verifiedUserMap.put(this_key, timer); 620 632 timer.start(); 621 633 // For the verify page, we just return back to the browser, as we have called this 634 // using ajax. 635 return; 622 636 623 637 } // hmvf = 1 … … 628 642 // or we have been asked to force the T&C 629 643 // we need to display the verify page 630 logger.info("displaying verify page for url " + url);631 String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+url;644 //Lets encode the url parameter as we need it encoded in the page. 645 String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+java.net.URLEncoder.encode(url, "UTF-8"); 632 646 ((HttpServletResponse)response).sendRedirect(new_url); 633 647 return; … … 636 650 }// end if verifiable file 637 651 638 logger.info("have passed security checks");639 652 // if we got here, we have passed all security checks and just want to view the file. 640 653 // However, we need to remove the library_name from the URL. As can't change the … … 645 658 url = url.replaceFirst(context.getContextPath(), ""); 646 659 url = url.replaceFirst("/"+library_name, ""); 647 logger.info("forwarding to url"+url);660 //logger.info("forwarding to "+url); 648 661 request.getRequestDispatcher(url).forward(request, response); 649 662
Note:
See TracChangeset
for help on using the changeset viewer.