[
https://issues.jboss.org/browse/AS7-4623?page=com.atlassian.jira.plugin.s...
]
Jess Sightler commented on AS7-4623:
------------------------------------
@Jason Greene - That isn't really what the username/password do from what I can tell.
The Password box in question ends up appearing on the /logout url itself. Entering a valid
password fails, entering an invalid one succeeds. As far as I can tell, the intended
workflow is:
1. User is redirected to /logout (with a Referer header)
2. /logout parses the referer header and then redirects to (eg:
https://enter-login-here:blah@serverip/logout?logout
3. Hopefully the browser accepts "enter-login-here" and "blah" and
forwards these to the server
4. /logout redirects back to the referer url
AFAICT, in Firefox the "enter-login-here:blah" credentials are lost. Hitting
escape on the dialog popup usually works, but seems to be fragile to intermediate proxies
(mod_proxy with SSL on the apache side).
LogoutHandler.java misspells the referer header
-----------------------------------------------
Key: AS7-4623
URL:
https://issues.jboss.org/browse/AS7-4623
Project: Application Server 7
Issue Type: Bug
Components: Domain Management
Reporter: Jess Sightler
Assignee: Jason Greene
Original code is:
String referrer = responseHeaders.getFirst("Referrer");
But the HTTP Referer header is actually spelled "Referer". Pull request with
fix is here:
https://github.com/jbossas/jboss-as/pull/2139
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira