-
Bug
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Yes
-
Yes
-
AdminX 27
-
3
Since MGNLSSO-98, we filter out most Vaadin requests to prevent them from starting an indirect login flow, going to the IdP. Instead, these requests are already assumed authenticated via session tracking (JSESSIONID & other protection measures such as csrf).
see AuthenticationServicePathMatcher & tests.
Current logic is to start the flow if:
- Sec-Fetch-Mode header is navigate (indicates a user-originated request, as opposed to loaded from script)
- otherwise if the header above is unset, exclude typical Vaadin requests (UIDL, HEARTBEAT, PUSH, etc.)
There is one case where this falls short: upload. Sec-Fetch-Mode is indeed navigate, so Vaadin request matching is not attempted, and /APP/UPLOAD would not be excluded anyway.
Acceptance criteria
1.
|
Implementation | Completed | Evzen Fochr | |
2.
|
Review | Completed | Nguyen Phung Chi | |
3.
|
PiQA | Completed | Nguyen Phung Chi | |
4.
|
Final QA | Completed | Enrique Espana |