[MAGNOLIA-7502] RedirectClientCallback is not working as expected Created: 09/Apr/19  Updated: 26/Apr/23  Resolved: 26/Apr/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.0
Fix Version/s: 6.3.0, 6.2.34

Type: Bug Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Evzen Fochr
Resolution: Fixed Votes: 1
Labels: maintenance
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 1d Time Spent: 1d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File 1. requested-url.png     PNG File 2. key-map from request.png     PNG File 3. encoded-url ok.png     PNG File 4. method message-format.png     PNG File 5. formatted-target ko.png    
Issue Links:
causality
duplicate
is duplicated by MAGNOLIA-8038 RedirectClientCallback puts full URLs... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MAGNOLIA-8874 Implementation Technical task Completed Evzen Fochr  
MAGNOLIA-8875 Review Technical task Completed Enrique Espana  
MAGNOLIA-8876 PiQA Technical task Completed Enrique Espana  
MAGNOLIA-8877 Final QA Technical task Completed Thai Chi Minh  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Epic Link: AdminX maintenance
Sprint: AdminX 34
Story Points: 3
Team: AdminX
Work Started:
Approved:
Yes

 Description   

When passing parameters to a restricted URL without being authenticated we are experiencing a couple of issues: first of all, the parameters in the formatted (result) string are duplicated. Also after a successful authentication, the parameters are lost (not included in the URL).

Steps for reproduce it (eg, at our demo):

  1. Go to configuration App --> server --> filters --> securityCallBack --> clientCallBacks --> travel-demo-pur --> location --> set the value: travel/members/login.html?redirectToThis={0}
  2. Go to http://localhost:8080/magnoliaPublic/travel/members/protected.html?param1=value1
  3. Magnolia redirect the user to the login page for members 
  4. Do a proper login and check the resulting URL

There are some attached images that may help.

Added description of the related ticket MAGNOLIA-8038

In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".{}

That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".


Generated at Mon Feb 12 04:24:20 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.