[
https://issues.apache.org/jira/browse/SLING-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13196136#comment-13196136
]
Felix Meschberger commented on SLING-2392:
------------------------------------------
Cleanup in Rev. 1237673:
AuthUtil.sendRedirect is now spec-ed and implemented to require the target path
to be prefixed with the servlet context path
AuthUil.isRedirectValid JavaDoc is clarified to require the context path prefix
on the target
AbstractAuthenticationHandler.sendRedirect prefixes the target (defined to not
be prefixed with the context path) with the context path before calling
AuthUtil.sendRedirect
AbstractAuthenticationHandler.isRedirectValid JavaDoc is removed linking
directly to AuthUtil.isRedirectValid. This method has actually only been added
after the last release but to not break users using SNAPSHOT versions since the
last release, I decided to keep that method just forwarding to the now official
method.
Removed needless @since tags (this whole class has been added after the
previous release)
> AuthUtil.isRedirectValid and AuthUtil.sendRedirect are asymmetric causing
> sendRedirect to fail for non-root contexts
> --------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-2392
> URL: https://issues.apache.org/jira/browse/SLING-2392
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.1.0
>
>
> The AuthUtil.isRedirectValid is built to validate the target path such that
> the requests's context path is expected to be part of the target path. The
> AuthUtil.sendRedirect method on the other hand is built to not expect servlet
> context path.
> This causes redirect failures if the Sling application is deployed in a
> non-root servlet context: If a path is supplied without a servlet context
> path, validation check fails and the redirect goes to the duplicated context
> path. If a path is supplied with a servlet context path, validation succeeds,
> but redirect goes to a path prefixed with duplicate context path, too.
> In essence, the isRedirectValid and sendRedirect should be symmetric in that
> they both require the target path to be prefixed with the servlet context
> path.
> The old AbstractAuthenticationHandler.sendRedirect method cannot be thus
> changed and so remains accepting the target path without the servlet context
> path. But before calling the new AuthUtil.sendRedirect method, the servlet
> context path is prefixed to the target path to comply with the new spec of
> the AuthUtil.sendRedirect method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
