This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
The following commit(s) were added to refs/heads/master by this push:
new 530a1bc SLING-13025 Evaluate "resource" as fallback to
"sling.auth.redirect"
530a1bc is described below
commit 530a1bcf0e0a29cf1e08f0d9dd0debde5d605d1b
Author: Konrad Windszus <[email protected]>
AuthorDate: Mon Dec 8 13:22:48 2025 +0100
SLING-13025 Evaluate "resource" as fallback to "sling.auth.redirect"
In most cases the "resource" is anyhow set (to correctly deal with
failed authentications to determine the login path) and is used as
redirect target for successful authentications as well.
Use mapped (instead of raw) resource path also in LoginServlet
---
.../java/org/apache/sling/auth/core/AuthUtil.java | 38 ++++++++++++++++++++++
.../apache/sling/auth/core/impl/LoginServlet.java | 2 +-
.../sling/auth/core/impl/SlingAuthenticator.java | 1 +
.../org/apache/sling/auth/core/package-info.java | 4 +--
.../spi/DefaultAuthenticationFeedbackHandler.java | 10 ++++--
...efaultJakartaAuthenticationFeedbackHandler.java | 11 +++++--
6 files changed, 57 insertions(+), 9 deletions(-)
diff --git a/src/main/java/org/apache/sling/auth/core/AuthUtil.java
b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
index b57c11f..af88016 100644
--- a/src/main/java/org/apache/sling/auth/core/AuthUtil.java
+++ b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
@@ -37,6 +37,7 @@ import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.auth.core.spi.JakartaAuthenticationHandler;
+import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -183,6 +184,7 @@ public final class AuthUtil {
* @return The non-empty redirection target or
* <code>defaultLoginResource</code>.
* @since 1.6.0
+ * @see AuthUtil#getMappedLoginResourcePath(HttpServletRequest, String)
*/
public static String getLoginResource(final HttpServletRequest request,
String defaultLoginResource) {
return getAttributeOrParameter(request, Authenticator.LOGIN_RESOURCE,
defaultLoginResource);
@@ -201,6 +203,7 @@ public final class AuthUtil {
* @return The non-empty redirection target or
* <code>defaultLoginResource</code>.
* @deprecated Use {@link #getLoginResource(HttpServletRequest, String)}
+ * @see #getMappedLoginResourcePath(javax.servlet.http.HttpServletRequest,
String)
*/
@Deprecated
public static String getLoginResource(
@@ -208,6 +211,41 @@ public final class AuthUtil {
return getAttributeOrParameter(request, Authenticator.LOGIN_RESOURCE,
defaultLoginResource);
}
+ /**
+ * Returns the mapped resource path (to redirect to after a successful
authentication).
+ * It still needs to be validated by the caller.
+ * Use this method to issue a redirect instead of {@link
#getLoginResource(HttpServletRequest, String)} to correctly consider resource
resolver mapping.
+ * @return the mapped path of the resource target or {@code null} if non
is given in the request
+ * @since 1.7.0 (Bundle Version 2.1.0)
+ */
+ public static @Nullable String getMappedLoginResourcePath(
+ final HttpServletRequest request, String defaultLoginResource) {
+ String resourcePath = getLoginResource(request, defaultLoginResource);
+ if (resourcePath == null) {
+ return null;
+ }
+ return getResourceResolver(request).map(request, resourcePath);
+ }
+
+ /**
+ * Returns the mapped resource path (to redirect to after a successful
authentication).
+ * It still needs to be validated by the caller.
+ * Use this method to issue a redirect instead of {@link
#getLoginResource(javax.servlet.http.HttpServletRequest, String)} to correctly
consider resource resolver mapping.
+ * @return the mapped path of the resource target or {@code null} if non
is given in the request
+ *
+ * @deprecated Use {@link #getMappedLoginResourcePath(HttpServletRequest,
String)}
+ * @since 1.7.0 (Bundle Version 2.1.0)
+ */
+ @Deprecated
+ public static @Nullable String getMappedLoginResourcePath(
+ final javax.servlet.http.HttpServletRequest request, String
defaultLoginResource) {
+ String resourcePath = getLoginResource(request, defaultLoginResource);
+ if (resourcePath == null) {
+ return null;
+ }
+ return getResourceResolver(request).map(request, resourcePath);
+ }
+
/**
* Ensures and returns the {@link Authenticator#LOGIN_RESOURCE} request
* attribute is set to a non-null, non-empty string. If the attribute is
not
diff --git a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
index a765042..37c0054 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
@@ -77,7 +77,7 @@ public class LoginServlet extends SlingAllMethodsServlet {
// through the login servlet), redirect to root now assuming we are
// authenticated.
if (request.getAuthType() != null) {
- final String resourcePath = AuthUtil.getLoginResource(request,
null);
+ final String resourcePath =
AuthUtil.getMappedLoginResourcePath(request, null);
if (isSelf(resourcePath)) {
String redirectTarget = request.getContextPath() + "/";
log.warn("doGet: Redirecting to {} to prevent login loop for
resource", redirectTarget);
diff --git
a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index 10e77b1..8f6cb25 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -1462,6 +1462,7 @@ public class SlingAuthenticator implements Authenticator,
AuthenticationSupport,
// find the redirect target from the resource attribute or parameter
// falling back to the request context path (or /) if not set or
invalid
+ // TODO: apply mapping, but no resource resolver at hand, use service
resource resolver?
String target = AuthUtil.getLoginResource(request,
request.getContextPath());
if (!AuthUtil.isRedirectValid(request, target)) {
log.warn("redirectAfterLogout: Desired redirect target is invalid;
redirecting to '/'");
diff --git a/src/main/java/org/apache/sling/auth/core/package-info.java
b/src/main/java/org/apache/sling/auth/core/package-info.java
index 4102d58..9b8262a 100755
--- a/src/main/java/org/apache/sling/auth/core/package-info.java
+++ b/src/main/java/org/apache/sling/auth/core/package-info.java
@@ -22,7 +22,7 @@
* of utility functions in the {@link org.apache.sling.auth.core.AuthUtil}
* class.
*
- * @version 1.6.0
+ * @version 1.7.0
*/
[email protected]("1.6.0")
[email protected]("1.7.0")
package org.apache.sling.auth.core;
diff --git
a/src/main/java/org/apache/sling/auth/core/spi/DefaultAuthenticationFeedbackHandler.java
b/src/main/java/org/apache/sling/auth/core/spi/DefaultAuthenticationFeedbackHandler.java
index dae3d9a..ca4c365 100644
---
a/src/main/java/org/apache/sling/auth/core/spi/DefaultAuthenticationFeedbackHandler.java
+++
b/src/main/java/org/apache/sling/auth/core/spi/DefaultAuthenticationFeedbackHandler.java
@@ -37,8 +37,9 @@ public class DefaultAuthenticationFeedbackHandler implements
AuthenticationFeedb
* authentication and <code>true</code> if the request has been redirected.
* <p>
* This method checks {@link AuthenticationSupport#REDIRECT_PARAMETER}
- * request parameter for the redirect target. This parameter is handled
- * as follows:
+ * request parameter for the redirect target. If that is not set, it falls
back
+ * to check for {@link
AuthUtil#getMappedLoginResourcePath(HttpServletRequest, String)}.
+ * The parameter is handled as follows:
* <ul>
* <li>If the parameter does not exist, the method does not redirect and
* <code>false</code> is returned.</li>
@@ -101,7 +102,10 @@ public class DefaultAuthenticationFeedbackHandler
implements AuthenticationFeedb
private static String getValidatedRedirectTarget(final HttpServletRequest
request) {
String redirect =
request.getParameter(AuthenticationSupport.REDIRECT_PARAMETER);
if (redirect == null) {
- return null;
+ redirect = AuthUtil.getMappedLoginResourcePath(request, null);
+ if (redirect == null) {
+ return null;
+ }
}
// redirect to the same path
diff --git
a/src/main/java/org/apache/sling/auth/core/spi/DefaultJakartaAuthenticationFeedbackHandler.java
b/src/main/java/org/apache/sling/auth/core/spi/DefaultJakartaAuthenticationFeedbackHandler.java
index e2edb29..f6f2f95 100644
---
a/src/main/java/org/apache/sling/auth/core/spi/DefaultJakartaAuthenticationFeedbackHandler.java
+++
b/src/main/java/org/apache/sling/auth/core/spi/DefaultJakartaAuthenticationFeedbackHandler.java
@@ -36,8 +36,10 @@ public class DefaultJakartaAuthenticationFeedbackHandler
implements JakartaAuthe
* authentication and <code>true</code> if the request has been redirected.
* <p>
* This method checks {@link AuthenticationSupport#REDIRECT_PARAMETER}
- * request parameter for the redirect target. This parameter is handled
- * as follows:
+ * request parameter for the redirect target. If that is not set, it falls
back
+ * to check for {@link
AuthUtil#getMappedLoginResourcePath(HttpServletRequest, String)}.
+ *
+ * The parameter is handled as follows:
* <ul>
* <li>If the parameter does not exist, the method does not redirect and
* <code>false</code> is returned.</li>
@@ -100,7 +102,10 @@ public class DefaultJakartaAuthenticationFeedbackHandler
implements JakartaAuthe
private static String getValidatedRedirectTarget(final HttpServletRequest
request) {
String redirect =
request.getParameter(AuthenticationSupport.REDIRECT_PARAMETER);
if (redirect == null) {
- return null;
+ redirect = AuthUtil.getMappedLoginResourcePath(request, null);
+ if (redirect == null) {
+ return null;
+ }
}
// redirect to the same path
