Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Cannot Reproduce
-
3.2.0
-
None
-
None
Description
In 7.9 there was possible to set a request attribute with a UserCredentials object in order to bypass the login screen:
req.setAttribute(UserCredentials.class.getName(), userState.getCredentials());
This is typically done in a SSO setup and setting this attribute in a filter before the hst filter would allow the user to access the cms without showing the login page.
The following method of class
org.hippoecm.frontend.session.PluginUSerSession
has a comment which suggests me to use it as I just described
/** {@link #login()} method invokes this method if there's any <code>UserCredentials</code> object from the request.
* For example, Web SSO Agent can set a UserCredentials for the user as request attribute.
*/
protected UserCredentials getUserCredentialsFromRequestAttribute() {
HttpServletRequest request = ((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest());
return (UserCredentials) request.getAttribute(UserCredentials.class.getName());
}
..
Now, in hippo-10 version, this mechanism doesn't work anymore. Reproduction path (I did extract this reproduction path from a sso project which I'm working on so it might be that is not reproducing the problem):
- create an archetype project
- add a filter before the hst which creates dummy credentials:
public class SSOLoginFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,ServletException { SimpleCredentials creds = new SimpleCredentials("editor", "DUMMY".toCharArray()); req.setAttribute(UserCredentials.class.getName(), creds); } }
- when hitting /cms, the login screen will appear instead of the cms dashboard
Attachments
Issue Links
- is a result of
-
-
- Closed
-