Manualshelf

User's Manual

ManualsBrandsRed Hat ManualsTV ReceiverRed Hat Red Hat Web Application Framework 6.1
131132133134135136137138139140
Chapter 10. Kernel Tutorial 119
KernelHelper.getCurrentUser(request) is a convenience method that returns the current
User object if available, returns null if the user is not logged in, or throws a RuntimeException if the
user is logged in but does not exist.
4. How can a user be logged in but not exist in the database?
WAF logs in users automatically using cookies (or other mechanisms), so it is possible for a client to
present a valid cookie for a user that doesn’t exist. This might happen if the user is deleted, the database
is cleared, or an attacker spoofs a non-existent user’s cookie. WAF uses cryptographic mechanisms to
make the last case unlikely.
5. How do I require that a user is logged in for a given page?
com.arsdigita.ui.login.UserAuthenticationListener is a RequestListener that re-
quires that the user is logged in and that the user exists. This listener should be added to any Bebop
Page that requires login using Page.addRequestListener().
If the user is not logged in or doesn’t exist, the client is redirected to the login page with return_url set
to the original request URL. This ensures that the client will return to the original page after logging
in.
If the user is logged in, this listener provides the methods isLoggedIn() and getUser(). Note that
these methods differ from those in UserContext since they also ensure that the user exists.
6. How do I require that a user is securely authenticated (using SSL or similar) for a given page?
This is not yet provided in a single API, but this can be accom-
plished using a UserAuthenticationListener and then calling
com.arsdigita.kernel.Initializer.getSecurityHelper.isSecure(request) to check
whether the current request is secure.
Note
In the current implementation of WAF, a user must be logged in securely to access a page over SSL.
This restriction will be loosened in the future, and an API for checking secure authentication will be
provided.
7. How do I get the HttpSession object for the current request?
WAF does not currently wrap session retrieval, so request.getSession() will return the current
HttpSession object.
Note
Session management is independent of user authentication, so a session will always exist, whether
or not the user is logged in.