[jboss-jira] [JBoss JIRA] (WFLY-13379) Redirect after "j_security_check" login does not work if URL has no trailing slash

Darran Lofthouse (Jira) issues at jboss.org
Thu Apr 23 09:26:00 EDT 2020 

    [ https://issues.redhat.com/browse/WFLY-13379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14053938#comment-14053938 ] 

Darran Lofthouse commented on WFLY-13379:
-----------------------------------------

Just to confirm I have also recreated this locally on the latest commit in WildFly master 90ebbec1e5883d5ebfe9f4a82a3961a2455ced4f - I am having a look now at what is needed.

Fundamentally the issue is actually in relation to the lack of a redirect, in the scenario described no redirect occurs.  On attempting to access a secured resource we return the login page as the immediate response, the problem is that is the immediate response returned was the root of the web application whilst missing the trailing slash that is the only URL the browser is aware of so a FORM with the following action will submit to the root context.

{code:html}
<form action="j_security_check" method="POST">
{code}



> Redirect after "j_security_check" login does not work if URL has no trailing slash
> ----------------------------------------------------------------------------------
>
>                 Key: WFLY-13379
>                 URL: https://issues.redhat.com/browse/WFLY-13379
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 19.0.0.Final
>            Reporter: Wolfgang Knauf
>            Assignee: Darran Lofthouse
>            Priority: Major
>         Attachments: Security.ear, configure.cli, restore-configuration.cli
>
>
> Attached file "Security.ear" contains a web application with a single jsp page "index.jsp" and form based login, which is secured by a Database Identity Store (Elytron). 
> When calling the root URL of the webapp without specifiying any page and {color:red}*no*{color} trailing slash (http://localhost:8080/SecurityWeb), on WildFly 11 the login form is shown, and then the welcome file "index.jsp" is shown.
> On WildFly 19, the login form is shown, and after successful login, there is an error message "404 - Not Found", and the URL in the adress bar changes to http://localhost:8080/j_security_check
> It works if the URL is "http://localhost:8080/SecurityWeb/" (trailing slash). It seems WildFly 11 appends the "/" automatically when redirecting to the login form, while WildFly 19 keeps this URL.
> To run the sample, you have to add the Elytron config - the script "configure.cli" can be used for this: 
> jboss-cli.bat --file=path_to\configure.cli
> The script "restore-configuration.cli" undoes this configuration.
> Username/Password are e.g. "admin"/"admin" - the sample creates a user table based on an ejb and "import.sql" inserts users.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list