You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2011/07/05 11:43:22 UTC
[jira] [Created] (SLING-2126) Apply some validation to requested
redirects after authentication
Apply some validation to requested redirects after authentication
-----------------------------------------------------------------
Key: SLING-2126
URL: https://issues.apache.org/jira/browse/SLING-2126
Project: Sling
Issue Type: Improvement
Components: Authentication
Affects Versions: Auth Core 1.0.6
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Auth Core 1.0.8
Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2126) Apply some validation to requested
redirects after authentication
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-2126.
--------------------------------------
Resolution: Fixed
Fixed in Rev. 1142992: Added a new AbstractAuthenticationHandler.isRedirectValid method along with a unit test. Increased export of o.a.s.auth.core.spi package to 1.0.4 reflecting the addition of the method and the new handling in the redirect methods.
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
> This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2126) Apply some validation to requested
redirects after authentication
Posted by "Felix Meschberger (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-2126.
--------------------------------------
Resolution: Fixed
This can be resolved again.
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
> This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (SLING-2126) Apply some validation to requested
redirects after authentication
Posted by "Felix Meschberger (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reopened SLING-2126:
--------------------------------------
This solution is problematic and violates common agreements of the Semantic Versioning Whitepaper.
So I will revert it and introduce a new utility class in the org.apache.sling.auth.core package. This package is exported to expose a service provided by the auth core bundle and thus other bundles will always only be clients to this package.
Details: An exported API package's version should be increased on the minor level if new API is added, regardless of the kind of API. Micro version increase is only intended for bug fixes (like fixing bugs in code of exported classes). Hence adding new API is extremely problematic.
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
> This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2126) Apply some validation to requested
redirects after authentication
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13153151#comment-13153151 ]
Felix Meschberger commented on SLING-2126:
------------------------------------------
A new AuthUtil class has been added for SLING-2287 in Rev. 1202125
Moved the unit tests to test the new AuthUtil class and adapted users of methods moved. in Rev. 1203865
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
> Key: SLING-2126
> URL: https://issues.apache.org/jira/browse/SLING-2126
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and AbstractAuthenticationHandler.sendRedirect methods do not apply any validity checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the Sling application. If the target is not valid, the methods would redirect to the servlet context root path -- obeying the contract for redirecting the client but not necessairily to the desired target. In any case an ERROR level message is written to the log indicating why the redirect target is not being honoured.
> This check should be made available to AuthenticationHandler implementations such that they may apply checks to their own redirects.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira