Konrad Windszus created SLING-13025:
---------------------------------------
Summary: Default(Jakarta)AuthenticationFeedbackHandler should
evaluate resource parameter as fallback for the redirect
Key: SLING-13025
URL: https://issues.apache.org/jira/browse/SLING-13025
Project: Sling
Issue Type: Improvement
Reporter: Konrad Windszus
As outlined in
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html#phase-1-form-submission
{quote}
The resource and sling.auth.redirect parameters provide similar functionality
but with differing historical backgrounds. The resource parameter is based on
the resource request attribute which is set by the login servlet to indicate
the original target resource the client desired when it was forced to
authenticate. The sling.auth.redirect parameter can be used by clients
(applications like cURL or plain HTML forms) to request being redirected after
successful login. If both parameters are set, the sling.auth.redirect parameter
takes precedence.
{quote}
However the
[DefaultJakartaAuthenticationFeedbackHandler|https://github.com/apache/sling-org-apache-sling-auth-core/blob/b8409ee840277cfaeb1f58c8648259b811f7789e/src/main/java/org/apache/sling/auth/core/spi/DefaultJakartaAuthenticationFeedbackHandler.java#L32C14-L32C57]
and
https://github.com/apache/sling-org-apache-sling-auth-core/blob/b8409ee840277cfaeb1f58c8648259b811f7789e/src/main/java/org/apache/sling/auth/core/spi/DefaultAuthenticationFeedbackHandler.java#L33
only evaluate `sling.auth.redirect`.
In order to reduce the amount of parameters necessary it would be good to issue
a redirect considering {{resource}} in case {{sling.auth.redirect}} is not set
(as in most cases it is the desired behaviour to redirect to the resource which
originally triggered the login).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
