[MAGNOLIA-7502] RedirectClientCallback is not working as expected Created: 09/Apr/19 Updated: 26/Apr/23 Resolved: 26/Apr/23 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | 6.0 |
| Fix Version/s: | 6.3.0, 6.2.34 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Carlos Cantalapiedra | Assignee: | Evzen Fochr |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | maintenance | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | 1d | Time Spent: | 1d |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Attachments: |
|
|||||||||||||||||||||||||
| Issue Links: |
|
|||||||||||||||||||||||||
| Sub-Tasks: |
|
|||||||||||||||||||||||||
| Template: |
|
|||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
|||||||||||||||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
|||||||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
|||||||||||||||||||||||||
| Epic Link: | AdminX maintenance | |||||||||||||||||||||||||
| Sprint: | AdminX 34 | |||||||||||||||||||||||||
| Story Points: | 3 | |||||||||||||||||||||||||
| Team: | ||||||||||||||||||||||||||
| Work Started: | ||||||||||||||||||||||||||
| Approved: |
Yes
|
|||||||||||||||||||||||||
| Description |
|
When passing parameters to a restricted URL without being authenticated we are experiencing a couple of issues: first of all, the parameters in the formatted (result) string are duplicated. Also after a successful authentication, the parameters are lost (not included in the URL). Steps for reproduce it (eg, at our demo):
There are some attached images that may help. Added description of the related ticket In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs. But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter. For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".{} That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field. When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe. Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount". |