[
https://issues.apache.org/jira/browse/KNOX-2655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426629#comment-17426629
]
Larry McCay commented on KNOX-2655:
-----------------------------------
Due to upcoming release of 1.6.0 and the need for an incompatible change coming
up for log4j migration, we are moving this out to the 2.0.0 release. As of now,
1.6.0 will be the last 1.x.x release due to the incompatible change. If there
is a critical need for this in 1.6.0 please feel free to move the fixVersion
back to 1.6.0 with a note of justification.
> Disallow Userinfo in KnoxSSO originalURL Query Param
> ----------------------------------------------------
>
> Key: KNOX-2655
> URL: https://issues.apache.org/jira/browse/KNOX-2655
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxSSO
> Reporter: Larry McCay
> Priority: Major
> Fix For: 2.0.0
>
>
> There is no valid reason that I can think of to allow userinfo in a URL for
> an application/UI that is participating in KnoxSSO. The userinfo is used to
> login to hosts/pages that are protected by HTTP Basic. This is contradictory
> to the use of KnoxSSO to begin with and complicates the regex pattern
> required to indicate those URLs that are allowed for redirect and/or dispatch.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
