Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-7502

RedirectClientCallback is not working as expected

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Neutral
    • 6.3.0, 6.2.34
    • 6.0
    • None

    Description

      When passing parameters to a restricted URL without being authenticated we are experiencing a couple of issues: first of all, the parameters in the formatted (result) string are duplicated. Also after a successful authentication, the parameters are lost (not included in the URL).

      Steps for reproduce it (eg, at our demo):

      1. Go to configuration App --> server --> filters --> securityCallBack --> clientCallBacks --> travel-demo-pur --> location --> set the value: travel/members/login.html?redirectToThis={0}
      2. Go to http://localhost:8080/magnoliaPublic/travel/members/protected.html?param1=value1
      3. Magnolia redirect the user to the login page for members 
      4. Do a proper login and check the resulting URL

      There are some attached images that may help.

      Added description of the related ticket MAGNOLIA-8038

      In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

      But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

      For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".{}

      That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

      When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

      Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".

      Checklists

        Acceptance criteria

        Attachments

          1. 1. requested-url.png
            1. requested-url.png
            200 kB
          2. 2. key-map from request.png
            2. key-map from request.png
            232 kB
          3. 3. encoded-url ok.png
            3. encoded-url ok.png
            51 kB
          4. 4. method message-format.png
            4. method message-format.png
            137 kB
          5. 5. formatted-target ko.png
            5. formatted-target ko.png
            66 kB

          Issue Links

            There are no Sub-Tasks for this issue.

            Activity

              People

                efochr Evzen Fochr
                ccantalapiedra Carlos Cantalapiedra
                AdminX
                Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Checklists

                    Bug DoR
                    Task DoD

                    Time Tracking

                      Estimated:
                      Original Estimate - Not Specified
                      Not Specified
                      Remaining:
                      Remaining Estimate - Not Specified
                      Not Specified
                      Logged:
                      Time Spent - 1d
                      1d