[MAGNOLIA-6502] Authentication over URL triggers 'self-redirect' mechanism which leads to unfortunate consequences Created: 07/Dec/15  Updated: 25/Jan/16  Resolved: 18/Jan/16

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.4.4
Fix Version/s: 5.4.5

Type: Bug Priority: Critical
Reporter: Zdenek Skodik Assignee: Aleksandr Pchelintcev
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 0d
Time Spent: 5h
Original Estimate: Not Specified

Issue Links:
Relates
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Basel 27
Story Points: 5

 Description   

One of the nastiest consequences of this issue is that the AdminCentral app doesn't play at all with URL-based authentication:
In order to reproduce it, try https://demoauthor.magnolia-cms.com/.magnolia/admincentral?mgnlUserId=superuser&mgnlUserPSWD=superuser

The reason for this to happen is because of how and when the LoginFilter kicks in the chain:

  • it tries to handle each and every request via several handlers should there be enough data for those to process
  • in case authentication happens via URL query parameters the info.magnolia.cms.security.auth.login.FormLogin is always triggered, and after authenticating a user successfully it notifies the LoginFilter that a 'self-redirect' is needed (as of MAGNOLIA-5991)
  • such a redirect messes up Vaadin XHR-based communication mechanism: every XHR (a POST request) with URL happening to have credentials in query string is considered to be a login attempt and then redirected to itself causing the meaningful Vaadin payload (JSON) to get lost.

Generated at Mon Feb 12 04:15:08 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.