selector form submits to the wrong path when used in a non-root servlet context
-------------------------------------------------------------------------------
Key: SLING-1940
URL: https://issues.apache.org/jira/browse/SLING-1940
Project: Sling
Issue Type: Bug
Components: Authentication
Reporter: Justin Edelson
Assignee: Justin Edelson
If you run Sling on a non-root servlet context go to the login page (e.g.
http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/login.html),
the login servlet redirects to a login form with a query parameter called
resource set to the servlet context path (e.g.
http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/selector/login?resource=%2Forg.apache.sling.launchpad.testing-war-6-SNAPSHOT)
When the form is created, the HTML form submission path (i.e. the form action)
contains the servlet context path *twice*, e.g.
action="/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/j_security_check"
The reason for this is that
org.apache.sling.auth.core.spi.AbstractAuthenticationFormServlet.getContextPath()
concatenates the servlet context path and the resource query param:
StringBuilder b = new StringBuilder();
b.append(request.getContextPath());
String resource = getResource(request);
int query = resource.indexOf('?');
if (query > 0) {
b.append(resource.substring(0, query));
} else {
b.append(resource);
}
Obviously, we should only add the servlet context path once, either in the
resource query param OR AbstractAuthenticationFormServlet.getContextPath().
My inclination is to do the former, i.e. the default value of the resource
query param is "/", not the servlet context path.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
