Uploaded image for project: 'Hippo Site Toolkit 2'
  1. Hippo Site Toolkit 2
  2. HSTTWO-3580

[Backport 3.2] JAAS security fails behind a proxy injecting the context path when the HstFilter is configured with <dispatcher>FORWARD</dispatcher> as well

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.2
    • Component/s: None
    • Labels:
    • Similar issues:
    • Sprint:
      Platform sprint 131, Platform Sprint 132
    • Processed by team:
      Platform

      Description

      When the HstFilter in the web.xml is

        <filter-mapping>
          <filter-name>HstFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>REQUEST</dispatcher>
          <dispatcher>FORWARD</dispatcher>
        </filter-mapping>
      

      instead of normally

        <filter-mapping>
          <filter-name>HstFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
      

      then, in case of a JAAS login behind a proxy, the login fails and ends with a URL /site/login/resource

      The reason is that the internal container security constraint on /login/resource forwards the request, but now the HstFilter listens to FORWARDS as well, and in the HstDelegateeFilterBean, this triggers a response with a redirect. After this redirect, again a redirect happens triggering j_security_check, which triggers a redirect to a URL starting with /site (also behind a proxy) that is not followed any more by another redirect.

      The solution is, that the HstFilter should do chain.doFilter on requests that are a security request and that happen to be a forward.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                aschrijvers Ard Schrijvers
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: