You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2021/11/02 15:44:00 UTC

[jira] [Updated] (KNOX-2655) Disallow Userinfo in KnoxSSO originalURL Query Param

     [ https://issues.apache.org/jira/browse/KNOX-2655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Larry McCay updated KNOX-2655:
------------------------------
    Fix Version/s:     (was: 2.0.0)
                   1.6.0

> Disallow Userinfo in KnoxSSO originalURL Query Param
> ----------------------------------------------------
>
>                 Key: KNOX-2655
>                 URL: https://issues.apache.org/jira/browse/KNOX-2655
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxSSO
>            Reporter: Larry McCay
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> There is no valid reason that I can think of to allow userinfo in a URL for an application/UI that is participating in KnoxSSO. The userinfo is used to login to hosts/pages that are protected by HTTP Basic. This is contradictory to the use of KnoxSSO to begin with and complicates the regex pattern required to indicate those URLs that are allowed for redirect and/or dispatch.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)