-
Bug
-
Resolution: Fixed
-
Critical
-
5.4.4
-
None
-
-
Empty show more show less
-
Basel 27
-
5
One of the nastiest consequences of this issue is that the AdminCentral app doesn't play at all with URL-based authentication:
In order to reproduce it, try https://demoauthor.magnolia-cms.com/.magnolia/admincentral?mgnlUserId=superuser&mgnlUserPSWD=superuser
The reason for this to happen is because of how and when the LoginFilter kicks in the chain:
- it tries to handle each and every request via several handlers should there be enough data for those to process
- in case authentication happens via URL query parameters the info.magnolia.cms.security.auth.login.FormLogin is always triggered, and after authenticating a user successfully it notifies the LoginFilter that a 'self-redirect' is needed (as of MAGNOLIA-5991)
- such a redirect messes up Vaadin XHR-based communication mechanism: every XHR (a POST request) with URL happening to have credentials in query string is considered to be a login attempt and then redirected to itself causing the meaningful Vaadin payload (JSON) to get lost.
Acceptance criteria