You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2011/11/15 12:02:00 UTC

svn commit: r1202125 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

Author: fmeschbe
Date: Tue Nov 15 11:01:59 2011
New Revision: 1202125

URL: http://svn.apache.org/viewvc?rev=1202125&view=rev
Log:
SLING-2287 Check the redirect target for the redirect after logging out. Also ensure the target is prefixed with the context path

Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1202125&r1=1202124&r2=1202125&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Tue Nov 15 11:01:59 2011
@@ -48,6 +48,7 @@ import org.apache.sling.api.auth.NoAuthe
 import org.apache.sling.api.resource.LoginException;
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
+import org.apache.sling.auth.core.AuthUtil;
 import org.apache.sling.auth.core.AuthenticationSupport;
 import org.apache.sling.auth.core.impl.engine.EngineAuthenticationHandlerHolder;
 import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
@@ -1303,20 +1304,21 @@ public class SlingAuthenticator implemen
 
         // nothing more to do if the response has already been committed
         if (response.isCommitted()) {
+            log.debug("redirectAfterLogout: Response has already been committed, not redirecting");
             return;
         }
 
         // find the redirect target from the resource attribute or parameter
-        // falling back to the request context path (or /) if not set
-        String target = AbstractAuthenticationHandler.getLoginResource(request,
-            request.getContextPath());
-        if (target.length() == 0) {
+        // falling back to the request context path (or /) if not set or invalid
+        String target = AbstractAuthenticationHandler.getLoginResource(request, request.getContextPath());
+        if (!AuthUtil.isRedirectValid(request, target)) {
+            log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", target);
             target = "/";
         }
 
         // redirect to there
         try {
-            response.sendRedirect(target);
+            response.sendRedirect(request.getContextPath() + target);
         } catch (IOException e) {
             log.error("Failed to redirect to the page: " + target, e);
         }