[
https://issues.apache.org/jira/browse/SHIRO-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13649392#comment-13649392
]
Alex Edwards commented on SHIRO-406:
------------------------------------
So this was a configuration issue.
so for example if i secured /** = authc using shiro and added a more specific
rule for /login.html = anon and set this as the login page. If the login page
contains any css or js files once logged in I will be redirected to the last
script it loaded.
Now that I understand what is happening it seems like desired behaviour but it
was confusing until i realised this.
> Redirected to the wrong url after successful login
> --------------------------------------------------
>
> Key: SHIRO-406
> URL: https://issues.apache.org/jira/browse/SHIRO-406
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.2.1
> Environment: jboss 7, hibernate 4, jsf2, primfaces
> Reporter: Alex Edwards
> Priority: Minor
>
> Navigate to a secure page that requires the user to be logged in, the user is
> redirected to the login page, after successful login the user is redirected
> to a primfaces js page.
> Cause
> This occurs when the login page is contained within a secured url, if the
> login page contains any external links e.g. js,css one of these will end up
> being the saved request.
> I think this is the wrong behaviour, if the login page is treated as a
> special case (as it seems to be) then the request that caused it to be
> invoked should remain as the saved request, subsequent requests for secure
> content by the login page should not be saved or provided.
> As this is essentially user mis-configuration it could be prevented by not
> having the login page as a special case, if it is located at a secure url
> nothing will happen.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
