Result authorization loops

Post Reply
michel.weber
Posts: 256
Joined: Sat Oct 08, 2005 12:40 pm

Result authorization loops

Post by michel.weber »

Hi

I've been trying to set up result authorization for one of our web sitees (appliance: 6.3.4)

i've got it nearly working, but somehow the authorization loops

Somehow the appliance does not seem to see the correct cookie.

Could this be because of the HTTPS on the web site?

200 2009-05-29 19:07:49 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
200 2009-05-29 19:07:44 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
200 2009-05-29 19:07:28 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
200 2009-05-29 19:07:23 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
200 2009-05-29 19:07:17 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
200 2009-05-29 19:07:14 pr=Wcd_MWR2 missing cookie JSESSIONID: redirecting to [https://valwcd.coe.int/login.jsp?Thunde ... t%3DSubmit]
User avatar
Kai
Site Admin
Posts: 1271
Joined: Tue Apr 25, 2000 1:27 pm

Result authorization loops

Post by Kai »

It could be. Make sure that whatever is setting that cookie (eg. https://valwcd.coe.int/login.jsp) does not set the SECURE flag, unless your appliance is also accepting searches via https too. Also, make sure the cookie's DOMAIN include's the appliance, as seen from your browser. Eg. if the appliance hostname (as typed in your browser) is search.coe.int, then the cookie DOMAIN should be `.coe.int' so that your browser will know to send the cookie to the appliance too, even though it got it from valwcd.coe.int.
thomas.haudot
Posts: 2
Joined: Mon Jan 21, 2008 8:16 am

Result authorization loops

Post by thomas.haudot »

Ok, the cookie domain didn’t include the appliance domain. I fixed this, but we are now facing another problem: our web application uses a single jsp page to manage the access to a document, and this page always has a 200 http status. If a user is not allowed to see a document, he is redirected to a login form (which also has a 200 http status). Conclusion : a user can have documents he is not allowed to see in his search result…
Is there a solution to this problem?
User avatar
jason112
Site Admin
Posts: 347
Joined: Tue Oct 26, 2004 5:35 pm

Result authorization loops

Post by jason112 »

Yes, this is what the "Unauthorized Result Query" search setting is for.

It allows you to specify what the criteria is for "failing" a result. You can give it a text snippet to search for in the text of the page, or a REX expression on the text or HTML.
thomas.haudot
Posts: 2
Joined: Mon Jan 21, 2008 8:16 am

Result authorization loops

Post by thomas.haudot »

Excellent, it's working.
Thank you.
Post Reply