[jboss-jira] [JBoss JIRA] (WFLY-7105) Incorrect redirection after authentization when using elytron

Darran Lofthouse (JIRA) issues at jboss.org
Wed Sep 14 13:00:02 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-7105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293502#comment-13293502 ] 

Darran Lofthouse commented on WFLY-7105:
----------------------------------------

This issue is being triggered by how Undertow is setting the requestPath within the HttpServerExchange.

In my own testing my application is deployed at http://loclahost:8080/HelloWorld, from here I click on a link to /HelloWorld/secured-page as I have a welcome page so within ServletInitialHandler this block of code is executed: -

{code:java}
        } else if (info.getType() == ServletPathMatch.Type.REWRITE) {
            //this can only happen if the path ends with a /
            //otherwise there would be a redirect instead
            exchange.setRelativePath(info.getRewriteLocation());
            exchange.setRequestPath(exchange.getRequestPath() + info.getRewriteLocation());
        }
{code}

The original request path was '/HelloWorld/secured-page/' so by concatenating it with the output from info.getRewriteLocation() we end up with '/HelloWorld/secured-page//secured-page/index.html' - maybe this should be using the resolved path instead of the request path?


> Incorrect redirection after authentization when using elytron
> -------------------------------------------------------------
>
>                 Key: WFLY-7105
>                 URL: https://issues.jboss.org/browse/WFLY-7105
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (Undertow)
>            Reporter: Radim Hatlapatka
>            Assignee: Stuart Douglas
>            Priority: Critical
>         Attachments: defined-security-domain.war, roles.properties, standalone-elytron-web-tests.xml, users.properties
>
>
> Having web application which uses defined security domain, which is set up using elytron results in incorrect redirection. It is redirecting after authentication done at {{http://localhost:8080/defined-security-domain/user/}} to {{http://localhost:8080/defined-security-domain/user//user/index.jsp}} instead of to {{http://localhost:8080/defined-security-domain/user/index.jsp}}.
> Note, when using only old security domain setup without elytron, it works just fine.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list