[
https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13153151#comment-13153151
]
Felix Meschberger commented on SLING-2126:
------------------------------------------
A new AuthUtil class has been added for SLING-2287 in Rev. 1202125
Moved the unit tests to test the new AuthUtil class and adapted users of
methods moved. in Rev. 1203865
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and
> AbstractAuthenticationHandler.sendRedirect methods do not apply any validity
> checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the
> Sling application. If the target is not valid, the methods would redirect to
> the servlet context root path -- obeying the contract for redirecting the
> client but not necessairily to the desired target. In any case an ERROR level
> message is written to the log indicating why the redirect target is not being
> honoured.
> This check should be made available to AuthenticationHandler implementations
> such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
