svn commit: r1202125 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

Tue, 15 Nov 2011 03:02:24 -0800 

Author: fmeschbe
Date: Tue Nov 15 11:01:59 2011
New Revision: 1202125

URL: http://svn.apache.org/viewvc?rev=1202125&view=rev
Log:
SLING-2287 Check the redirect target for the redirect after logging out. Also 
ensure the target is prefixed with the context path

Modified:
    
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

Modified: 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1202125&r1=1202124&r2=1202125&view=diff
==============================================================================
--- 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
 (original)
+++ 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
 Tue Nov 15 11:01:59 2011
@@ -48,6 +48,7 @@ import org.apache.sling.api.auth.NoAuthe
 import org.apache.sling.api.resource.LoginException;
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
+import org.apache.sling.auth.core.AuthUtil;
 import org.apache.sling.auth.core.AuthenticationSupport;
 import 
org.apache.sling.auth.core.impl.engine.EngineAuthenticationHandlerHolder;
 import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
@@ -1303,20 +1304,21 @@ public class SlingAuthenticator implemen
 
         // nothing more to do if the response has already been committed
         if (response.isCommitted()) {
+            log.debug("redirectAfterLogout: Response has already been 
committed, not redirecting");
             return;
         }
 
         // find the redirect target from the resource attribute or parameter
-        // falling back to the request context path (or /) if not set
-        String target = AbstractAuthenticationHandler.getLoginResource(request,
-            request.getContextPath());
-        if (target.length() == 0) {
+        // falling back to the request context path (or /) if not set or 
invalid
+        String target = 
AbstractAuthenticationHandler.getLoginResource(request, 
request.getContextPath());
+        if (!AuthUtil.isRedirectValid(request, target)) {
+            log.warn("redirectAfterLogout: Desired redirect target '{}' is 
invalid; redirecting to '/'", target);
             target = "/";
         }
 
         // redirect to there
         try {
-            response.sendRedirect(target);
+            response.sendRedirect(request.getContextPath() + target);
         } catch (IOException e) {
             log.error("Failed to redirect to the page: " + target, e);
         }

Reply via email to