Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[Solved] Security problem : sending an alfresco link

zomurn
Champ in-the-making
Champ in-the-making

‎02-02-2009 04:22 AM

Hi everyone,

I deployed an alfresco application and a server host it. The application is accessible by all employees through intranet via URL http://xx.xx.xxx.xx/alfresco.
I have a security problem with the application (It an Alfresco 2.2.0 enterprise installed). Scenario :

1) A user access the application through intranet via URL http://xx.xx.xxx.xx/alfresco/extension/login.jsp
He comes on a custom login.jsp page which show the logo of the society.

2) The user logs in and navigate on the application.

3) The user stops navigate and copy this URL : http://xx.xx.xxx.xx/alfresco/extension/browse.jsp
(a custom browse.jsp page having some stuff different from original browse.jsp)

4) The user paste this URL in its outlook messaging  client and send the email to its collaborator (another employee).

5) The collaborator click on this link and SUDDENTLY has access to http://xx.xx.xxx.xx/alfresco/extension/browse.jsp and see this view directly WITHOUT going through login screen (http://xx.xx.xxx.xx/alfresco/extension/login.jsp). Moreover, the login of the user connected (upper right link, the logout one) is the same that the user who sent the email.

6) But when the collaborator attempt to click on a link, inside the view sent by email http://xx.xx.xxx.xx/alfresco/extension/browse.jsp, he is in all cases automatically redirected to login screen (http://xx.xx.xxx.xx/alfresco/extension/login.jsp).

My question are :

1) How do the login name is thransmitted through outlook mail ?
2) Why browse.jsp URL doesn't redirect a user to login screen if not connected ?

Thank you very much for your advice !

Regards.
Labels:
0 Kudos
2 REPLIES 2

zomurn
Champ in-the-making
Champ in-the-making

‎02-02-2009 08:58 AM

I precise that the navigator of the client is ie6.
0 Kudos

zomurn
Champ in-the-making
Champ in-the-making

‎02-04-2009 04:45 AM

As I used to, I'am going to answer to myself ; it might help somebody.
The problem comes from client side : the client store in cache (more precisely in cookies) the pages login.jsp and browse.jsp.
So when we copy/paste the URL browse.jsp into the navigator, the navigator display the cached browse.jsp.
To solve this problem, we need to force the navigator NOT TO CACHE the browse.jsp page (login.jsp is not important).
Hence, we need to add at the begin of browse.jsp page the scriplet :

<%
response.addHeader("Pragma", "no-cache");
response.addHeader("Cache-Control", "no-cache");
response.addHeader("Cache-Control", "must-revalidate");
%>

and then we can see that in windows cookie, the browse.jsp doesn't appear anymore.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC