[
https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-2126.
--------------------------------------
Resolution: Fixed
Fixed in Rev. 1142992: Added a new
AbstractAuthenticationHandler.isRedirectValid method along with a unit test.
Increased export of o.a.s.auth.core.spi package to 1.0.4 reflecting the
addition of the method and the new handling in the redirect methods.
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and
> AbstractAuthenticationHandler.sendRedirect methods do not apply any validity
> checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the
> Sling application. If the target is not valid, the methods would redirect to
> the servlet context root path -- obeying the contract for redirecting the
> client but not necessairily to the desired target. In any case an ERROR level
> message is written to the log indicating why the redirect target is not being
> honoured.
> This check should be made available to AuthenticationHandler implementations
> such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
