You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/11/15 12:02:00 UTC
svn commit: r1202125 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Author: fmeschbe
Date: Tue Nov 15 11:01:59 2011
New Revision: 1202125
URL: http://svn.apache.org/viewvc?rev=1202125&view=rev
Log:
SLING-2287 Check the redirect target for the redirect after logging out. Also ensure the target is prefixed with the context path
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1202125&r1=1202124&r2=1202125&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Tue Nov 15 11:01:59 2011
@@ -48,6 +48,7 @@ import org.apache.sling.api.auth.NoAuthe
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
+import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.AuthenticationSupport;
import org.apache.sling.auth.core.impl.engine.EngineAuthenticationHandlerHolder;
import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
@@ -1303,20 +1304,21 @@ public class SlingAuthenticator implemen
// nothing more to do if the response has already been committed
if (response.isCommitted()) {
+ log.debug("redirectAfterLogout: Response has already been committed, not redirecting");
return;
}
// find the redirect target from the resource attribute or parameter
- // falling back to the request context path (or /) if not set
- String target = AbstractAuthenticationHandler.getLoginResource(request,
- request.getContextPath());
- if (target.length() == 0) {
+ // falling back to the request context path (or /) if not set or invalid
+ String target = AbstractAuthenticationHandler.getLoginResource(request, request.getContextPath());
+ if (!AuthUtil.isRedirectValid(request, target)) {
+ log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", target);
target = "/";
}
// redirect to there
try {
- response.sendRedirect(target);
+ response.sendRedirect(request.getContextPath() + target);
} catch (IOException e) {
log.error("Failed to redirect to the page: " + target, e);
}