# HG changeset patch
# User Björn Ricks <bjoern.ricks@intevation.de>
# Date 1350894949 -7200
# Node ID e10d60d4f35b98e2b248d4bf740110643791f0c0
# Parent  93b53eaee4017dc02966ec5beb471d0a7f688924
Don't always redirect if user isn't authenticated

Only redirect a user if he is accessing the redirect url (FLYS.html by default).
In other cases only send a 403 Forbidden to indicate that a user isn't allowed
to access the url.

Should improve flys/issue856 (Timeout in der Authentifizierung führt zu Fehlern)

diff -r 93b53eaee401 -r e10d60d4f35b flys-client/src/main/java/de/intevation/flys/client/server/GGInAFilter.java
--- a/flys-client/src/main/java/de/intevation/flys/client/server/GGInAFilter.java	Mon Oct 22 10:32:09 2012 +0200
+++ b/flys-client/src/main/java/de/intevation/flys/client/server/GGInAFilter.java	Mon Oct 22 10:35:49 2012 +0200
@@ -97,10 +97,16 @@
             return;
         }
 
+        boolean redirect = false;
+
         HttpSession session = sreq.getSession();
 
         String uri = path + "/" + this.redirecturl;
 
+        if (requesturi.equals(uri)) {
+            redirect = true;
+        }
+
         if (sreq.getQueryString() != null) {
             uri = uri + "?" + sreq.getQueryString();
         }
@@ -109,7 +115,7 @@
         User user = (User)session.getAttribute("user");
         if (user == null) {
             logger.debug("No user in session: " + requesturi);
-            this.redirect(resp);
+            this.handleResponse(resp, redirect);
             return;
         }
         if (user.hasExpired()) {
@@ -120,12 +126,12 @@
                 Authentication auth = this.auth(user, encoding);
                 if (auth == null || !auth.isSuccess()) {
                     logger.debug("Re-athentication not successful");
-                    this.redirect(resp);
+                    this.handleResponse(resp, redirect);
                 }
             }
             catch(AuthenticationException e) {
                 logger.error("Failure during re-authentication", e);
-                this.redirect(resp);
+                this.handleResponse(resp, redirect);
                 return;
             }
         }
@@ -141,6 +147,20 @@
             "/login.jsp");
     }
 
+    private void sendNotAuthenticated(ServletResponse resp) throws IOException {
+        logger.debug("Send not authenticated");
+        ((HttpServletResponse)resp).sendError(HttpServletResponse.SC_FORBIDDEN, "User not authenticated");
+    }
+
+    private void handleResponse(ServletResponse resp, boolean redirect) throws IOException {
+        if (redirect) {
+            this.redirect(resp);
+        }
+        else {
+            this.sendNotAuthenticated(resp);
+        }
+    }
+
 
     /**
      * Do nothing at destruction.