You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Felix Meschberger (Reopened) (JIRA)" <ji...@apache.org> on 2011/11/08 09:14:51 UTC

[jira] [Reopened] (SLING-2126) Apply some validation to requested redirects after authentication

     [ https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Felix Meschberger reopened SLING-2126:
--------------------------------------


This solution is problematic and violates common agreements of the Semantic Versioning Whitepaper.

So I will revert it and introduce a new utility class in the org.apache.sling.auth.core package. This package is exported to expose a service provided by the auth core bundle and thus other bundles will always only be clients to this package.

Details: An exported API package's version should be increased on the minor level if new API is added, regardless of the kind of API. Micro version increase is only intended for bug fixes (like fixing bugs in code of exported classes). Hence adding new API is extremely problematic.
                
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
>                 Key: SLING-2126
>                 URL: https://issues.apache.org/jira/browse/SLING-2126
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Auth Core 1.0.6
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>             Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
> This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira