Changeset 34103


Ignore:
Timestamp:
2020-04-16T08:03:25+12:00 (17 months ago)
Author:
kjdon
Message:

a couple small modifications. when comparing srcdoc with filename - to see if the requested file is the main document or a supporting html image, we need to decode %20 to space - the filename coming from the browser will be URL encoded including spaces, but the srcfileLink in collection is url encoded but not the spaces. (why??). secondly, for fast view pdfs, chrome's pdf viewer may make several requests to get the doc for viewing. And then it makes another one for downloading. the verification is now done via ajax, and once that returns, then the page redirects to the pdf file. So we just return if we have successfully verified. We need to keep a short timer for that document so the browser can make more requests and not have to verify it. currently set to 2 hours.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java

    r33993 r34103  
    9393  protected Hashtable<String, UserTimer> verifiedUserMap = null;
    9494    // timeouts are in millisecs
     95    // this is for if we have verify=once set in collectionConfig - the user will stay
     96    // verified for 24 hours
    9597  protected static final int verifiedUserTimeout = 24 * 60 * 60 * 1000;
    96     protected static final int tempUserTimeout = 5 * 1000;
     98    // this is a per document timeout - Chrome may make several requests to fetch a fastview pdf,
     99    // plus another one if the user clicks download. Need to keep a record for a verified document
     100    // so it can be fuly viewed and downloaded - get a network error if end up back at verification page.
     101    // the user stays verified for the document for 2 hours.
     102    protected static final int tempUserTimeout = 2 * 60 * 60 * 1000;
    97103 
    98104  public void init(FilterConfig filterConfig) throws ServletException
     
    125131    // this is the part before the ?
    126132    String url = hRequest.getRequestURI().toString();
    127     if (isURLRestricted(url)) {
     133     if (isURLRestricted(url)) {
    128134     
    129135      // TODO - should we make this a proper HTML page?
     
    131137      return;
    132138    }
    133      
     139
     140
    134141    // Run security checks on files requested from a collection's index/assoc folder
    135142    if (url.contains(ASSOCIATED_FILE_PATH)) {
     
    427434    String session_id = session.getId();
    428435    ServletContext context = session.getServletContext();
    429     logger.info("securityCheck, session id = "+session_id+", url = "+url);
     436
    430437        // now we need to get library name from the path, which is like
    431438    // /greenstone3/library/sites/localsite/collect/collname/index/assoc/...
     
    442449               
    443450    if (gsRouter == null) { 
    444       logger.error("Receptionist is null, stopping filter");
     451      logger.error("MR is null, stopping filter");
    445452      return;
    446453    }
     
    536543    Element metadata_list = (Element)meta_response.getElementsByTagName(GSXML.METADATA_ELEM+GSXML.LIST_MODIFIER).item(0);
    537544    String srcdoc = GSXML.getMetadataValue(metadata_list, "srclinkFile");
    538     if (!srcdoc.equals(file_name)) {
     545    //logger.debug("srcdoc="+srcdoc+", filename="+file_name+", %20 decoded filename="+file_name.replaceAll("\\%20|\\+", " "));
     546    // If file_name is the main file for the document, then it will == srcdoc. Both of these are URL encoded, with the exception of spaces. Spaces will be encoded in file_name, but are not encoded in srcdoc. So need to decode those and check again.
     547    // srcdoc.equals(java.net.URLDecoder.decode(file_name, "UTF-8")) - this didn't work as both are URLEncoded except for spaces
     548    if (!srcdoc.equals(file_name) && !srcdoc.equals(file_name.replaceAll("\\%20|\\+", " "))){
    539549      // the specified file is just a supporting file, not the main file.
    540550      // eg an image in an html doc.
     
    573583      // we are asking for the main document, and we have been asked to verify the user
    574584      // have we done the test previously?
     585          String verify_map_key = session_id + ":"+collection;
     586          String verify_map_doc_key = verify_map_key + ":" + file_name;
    575587      boolean already_verified = false;
    576588      String hmvf_response = request.getParameter(GSParams.VERIFIED);
     
    578590          // manually force the t&c (user has added hmvf=0 to url)
    579591          // whether we have previously verified or not
    580       } else if (verifiedUserMap.containsKey(session_id)) {
     592      } else if (verifiedUserMap.containsKey(verify_map_key) || verifiedUserMap.containsKey(verify_map_doc_key)) {
    581593          already_verified = true;
    582594      }
     
    592604          if (result == Authentication.NO_ERROR) {
    593605            already_verified = true;
    594            
    595606          } else {
    596607            logger.error("something went wrong with recaptcha, error="+result);
     
    601612            return;
    602613          }
    603            
    604            
    605          
    606614        }
    607615        already_verified = true;
    608616        // set up a timer for this verification - standard 24hour if
    609         // verify==once, 5 sec otherwise (browsers seem to be trying to
     617        // verify==once, short, doc specific one otherwise (browsers seem to be trying to
    610618        // download prfs twice. Chrome gets stuck if the second time
    611         // doesn't get verified)
     619        // doesn't get verified. Also Chrome sends a second request if the
     620        // user tries to download the document after viewing it. )
    612621        int delay;
     622        String this_key;
    613623        if (verify.equals("once")) {
    614624            delay = verifiedUserTimeout;
     625            this_key = verify_map_key;
    615626        } else {
    616627            delay = tempUserTimeout;
     628            this_key = verify_map_doc_key;
    617629        }
    618         UserTimer timer = new UserTimer(delay, session_id);
    619         verifiedUserMap.put(session_id, timer);
     630        UserTimer timer = new UserTimer(delay, this_key);
     631        verifiedUserMap.put(this_key, timer);
    620632        timer.start();
    621        
     633        // For the verify page, we just return back to the browser, as we have called this
     634        // using ajax.
     635        return;
    622636         
    623637          } // hmvf = 1
     
    628642        // or we have been asked to force the T&C
    629643        // we need to display the verify page
    630           logger.info("displaying verify page for url " + url);
    631         String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+url;             
     644          //Lets encode the url parameter as we need it encoded in the page.
     645          String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+java.net.URLEncoder.encode(url, "UTF-8");
    632646        ((HttpServletResponse)response).sendRedirect(new_url);
    633647        return;
     
    636650    }// end if verifiable file
    637651   
    638     logger.info("have passed security checks");     
    639652    // if we got here, we have passed all security checks and just want to view the file.
    640653    // However, we need to remove the library_name from the URL. As can't change the
     
    645658    url = url.replaceFirst(context.getContextPath(), "");
    646659    url = url.replaceFirst("/"+library_name, "");
    647     logger.info("forwarding to url "+url);
     660    //logger.info("forwarding to "+url);
    648661    request.getRequestDispatcher(url).forward(request, response);
    649662
Note: See TracChangeset for help on using the changeset viewer.