[jboss-jira] [JBoss JIRA] (AS7-4623) LogoutHandler.java misspells the referer header

Thu Apr 26 14:43:21 EDT 2012

    [ https://issues.jboss.org/browse/AS7-4623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688120#comment-12688120 ] 

Jess Sightler commented on AS7-4623:
------------------------------------

@Jason Greene - That isn't really what the username/password do from what I can tell. The Password box in question ends up appearing on the /logout url itself. Entering a valid password fails, entering an invalid one succeeds. As far as I can tell, the intended workflow is:

1. User is redirected to /logout (with a Referer header)
2. /logout parses the referer header and then redirects to (eg: https://enter-login-here:blah@serverip/logout?logout
3. Hopefully the browser accepts "enter-login-here" and "blah" and forwards these to the server
4. /logout redirects back to the referer url

AFAICT, in Firefox the "enter-login-here:blah" credentials are lost. Hitting escape on the dialog popup usually works, but seems to be fragile to intermediate proxies (mod_proxy with SSL on the apache side).

> LogoutHandler.java misspells the referer header
> -----------------------------------------------
>
>                 Key: AS7-4623
>                 URL: https://issues.jboss.org/browse/AS7-4623
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Domain Management
>            Reporter: Jess Sightler
>            Assignee: Jason Greene
>
> Original code is:
> String referrer = responseHeaders.getFirst("Referrer");
> But the HTTP Referer header is actually spelled "Referer". Pull request with fix is here:
> https://github.com/jbossas/jboss-as/pull/2139

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira