[HSTTWO-3579] JAAS security fails behind a proxy injecting the context path when the HstFilter is configured with <dispatcher>FORWARD</dispatcher> as well - Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.0.0
Component/s: None
Labels:
- maintenance

Sprint:
Platform sprint 125

Description

When the HstFilter in the web.xml is

  <filter-mapping>
    <filter-name>HstFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>

instead of normally

  <filter-mapping>
    <filter-name>HstFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>

then, in case of a JAAS login behind a proxy, the login fails and ends with a URL /site/login/resource

The reason is that the internal container security constraint on /login/resource forwards the request, but now the HstFilter listens to FORWARDS as well, and in the HstDelegateeFilterBean, this triggers a response with a redirect. After this redirect, again a redirect happens triggering j_security_check, which triggers a redirect to a URL starting with /site (also behind a proxy) that is not followed any more by another redirect.

The solution is, that the HstFilter should do chain.doFilter on requests that are a security request and that happen to be a forward.

Attachments

Issue Links

is cloned by

HSTTWO-3580 [Backport 3.2] JAAS security fails behind a proxy injecting the context path when the HstFilter is configured with <dispatcher>FORWARD</dispatcher> as well

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Ard Schrijvers

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Jan/16 5:50 PM

Updated:: 10/Mar/16 2:17 PM

Resolved:: 27/Jan/16 5:59 PM