You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Justin Edelson (JIRA)" <ji...@apache.org> on 2011/01/20 04:19:43 UTC
[jira] Created: (SLING-1940) selector form submits to the wrong
path when used in a non-root servlet context
selector form submits to the wrong path when used in a non-root servlet context
-------------------------------------------------------------------------------
Key: SLING-1940
URL: https://issues.apache.org/jira/browse/SLING-1940
Project: Sling
Issue Type: Bug
Components: Authentication
Reporter: Justin Edelson
Assignee: Justin Edelson
If you run Sling on a non-root servlet context go to the login page (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/login.html), the login servlet redirects to a login form with a query parameter called resource set to the servlet context path (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/selector/login?resource=%2Forg.apache.sling.launchpad.testing-war-6-SNAPSHOT)
When the form is created, the HTML form submission path (i.e. the form action) contains the servlet context path *twice*, e.g.
action="/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/j_security_check"
The reason for this is that org.apache.sling.auth.core.spi.AbstractAuthenticationFormServlet.getContextPath() concatenates the servlet context path and the resource query param:
StringBuilder b = new StringBuilder();
b.append(request.getContextPath());
String resource = getResource(request);
int query = resource.indexOf('?');
if (query > 0) {
b.append(resource.substring(0, query));
} else {
b.append(resource);
}
Obviously, we should only add the servlet context path once, either in the resource query param OR AbstractAuthenticationFormServlet.getContextPath().
My inclination is to do the former, i.e. the default value of the resource query param is "/", not the servlet context path.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1940) selector form submits to the wrong
path when used in a non-root servlet context
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12984209#action_12984209 ]
Carsten Ziegeler commented on SLING-1940:
-----------------------------------------
I think the resource path should already contain the context path and then used as is. This would allow to redirect to any path - not even within the same webapp.
> selector form submits to the wrong path when used in a non-root servlet context
> -------------------------------------------------------------------------------
>
> Key: SLING-1940
> URL: https://issues.apache.org/jira/browse/SLING-1940
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Justin Edelson
> Assignee: Justin Edelson
>
> If you run Sling on a non-root servlet context go to the login page (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/login.html), the login servlet redirects to a login form with a query parameter called resource set to the servlet context path (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/selector/login?resource=%2Forg.apache.sling.launchpad.testing-war-6-SNAPSHOT)
> When the form is created, the HTML form submission path (i.e. the form action) contains the servlet context path *twice*, e.g.
> action="/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/j_security_check"
> The reason for this is that org.apache.sling.auth.core.spi.AbstractAuthenticationFormServlet.getContextPath() concatenates the servlet context path and the resource query param:
> StringBuilder b = new StringBuilder();
> b.append(request.getContextPath());
> String resource = getResource(request);
> int query = resource.indexOf('?');
> if (query > 0) {
> b.append(resource.substring(0, query));
> } else {
> b.append(resource);
> }
> Obviously, we should only add the servlet context path once, either in the resource query param OR AbstractAuthenticationFormServlet.getContextPath().
> My inclination is to do the former, i.e. the default value of the resource query param is "/", not the servlet context path.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SLING-1940) selector form submits to the wrong path
when used in a non-root servlet context
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler closed SLING-1940.
-----------------------------------
> selector form submits to the wrong path when used in a non-root servlet context
> -------------------------------------------------------------------------------
>
> Key: SLING-1940
> URL: https://issues.apache.org/jira/browse/SLING-1940
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Justin Edelson
> Assignee: Justin Edelson
> Fix For: Auth Core 1.0.6
>
>
> If you run Sling on a non-root servlet context go to the login page (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/login.html), the login servlet redirects to a login form with a query parameter called resource set to the servlet context path (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/selector/login?resource=%2Forg.apache.sling.launchpad.testing-war-6-SNAPSHOT)
> When the form is created, the HTML form submission path (i.e. the form action) contains the servlet context path *twice*, e.g.
> action="/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/j_security_check"
> The reason for this is that org.apache.sling.auth.core.spi.AbstractAuthenticationFormServlet.getContextPath() concatenates the servlet context path and the resource query param:
> StringBuilder b = new StringBuilder();
> b.append(request.getContextPath());
> String resource = getResource(request);
> int query = resource.indexOf('?');
> if (query > 0) {
> b.append(resource.substring(0, query));
> } else {
> b.append(resource);
> }
> Obviously, we should only add the servlet context path once, either in the resource query param OR AbstractAuthenticationFormServlet.getContextPath().
> My inclination is to do the former, i.e. the default value of the resource query param is "/", not the servlet context path.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1940) selector form submits to the wrong
path when used in a non-root servlet context
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson resolved SLING-1940.
-----------------------------------
Resolution: Fixed
Fix Version/s: Auth Core 1.0.6
after some consideration, I changed my mind and now agree with Carsten that we should treat the resource query param as an absolute path. Thus, in r1062243, changed AbstractAuthenticationFormServlet to not include the servlet context path in the requestContextPath substitution variable.
> selector form submits to the wrong path when used in a non-root servlet context
> -------------------------------------------------------------------------------
>
> Key: SLING-1940
> URL: https://issues.apache.org/jira/browse/SLING-1940
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Justin Edelson
> Assignee: Justin Edelson
> Fix For: Auth Core 1.0.6
>
>
> If you run Sling on a non-root servlet context go to the login page (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/login.html), the login servlet redirects to a login form with a query parameter called resource set to the servlet context path (e.g. http://localhost:8080/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/system/sling/selector/login?resource=%2Forg.apache.sling.launchpad.testing-war-6-SNAPSHOT)
> When the form is created, the HTML form submission path (i.e. the form action) contains the servlet context path *twice*, e.g.
> action="/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/org.apache.sling.launchpad.testing-war-6-SNAPSHOT/j_security_check"
> The reason for this is that org.apache.sling.auth.core.spi.AbstractAuthenticationFormServlet.getContextPath() concatenates the servlet context path and the resource query param:
> StringBuilder b = new StringBuilder();
> b.append(request.getContextPath());
> String resource = getResource(request);
> int query = resource.indexOf('?');
> if (query > 0) {
> b.append(resource.substring(0, query));
> } else {
> b.append(resource);
> }
> Obviously, we should only add the servlet context path once, either in the resource query param OR AbstractAuthenticationFormServlet.getContextPath().
> My inclination is to do the former, i.e. the default value of the resource query param is "/", not the servlet context path.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.