AuthUtil.isRedirectValid and AuthUtil.sendRedirect are asymmetric causing
sendRedirect to fail for non-root contexts
--------------------------------------------------------------------------------------------------------------------
Key: SLING-2392
URL: https://issues.apache.org/jira/browse/SLING-2392
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.0.6
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Auth Core 1.1.0
The AuthUtil.isRedirectValid is built to validate the target path such that the
requests's context path is expected to be part of the target path. The
AuthUtil.sendRedirect method on the other hand is built to not expect servlet
context path.
This causes redirect failures if the Sling application is deployed in a
non-root servlet context: If a path is supplied without a servlet context path,
validation check fails and the redirect goes to the duplicated context path. If
a path is supplied with a servlet context path, validation succeeds, but
redirect goes to a path prefixed with duplicate context path, too.
In essence, the isRedirectValid and sendRedirect should be symmetric in that
they both require the target path to be prefixed with the servlet context path.
The old AbstractAuthenticationHandler.sendRedirect method cannot be thus
changed and so remains accepting the target path without the servlet context
path. But before calling the new AuthUtil.sendRedirect method, the servlet
context path is prefixed to the target path to comply with the new spec of the
AuthUtil.sendRedirect method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
