Uploaded image for project: '[Read Only] - Hippo Site Toolkit 2'
  1. [Read Only] - Hippo Site Toolkit 2
  2. HSTTWO-3581

[Backport 3.1] JAAS security fails behind a proxy injecting the context path when the HstFilter is configured with <dispatcher>FORWARD</dispatcher> as well

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • 3.1.3
    • None

    Description

      When the HstFilter in the web.xml is

        <filter-mapping>
          <filter-name>HstFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>REQUEST</dispatcher>
          <dispatcher>FORWARD</dispatcher>
        </filter-mapping>
      

      instead of normally

        <filter-mapping>
          <filter-name>HstFilter</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
      

      then, in case of a JAAS login behind a proxy, the login fails and ends with a URL /site/login/resource

      The reason is that the internal container security constraint on /login/resource forwards the request, but now the HstFilter listens to FORWARDS as well, and in the HstDelegateeFilterBean, this triggers a response with a redirect. After this redirect, again a redirect happens triggering j_security_check, which triggers a redirect to a URL starting with /site (also behind a proxy) that is not followed any more by another redirect.

      The solution is, that the HstFilter should do chain.doFilter on requests that are a security request and that happen to be a forward.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              aschrijvers Ard Schrijvers
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: