[MGNLCAS-20] Do not invalidate session if user visiting unauthorized URL Created: 10/Mar/16  Updated: 18/Nov/16  Resolved: 16/Nov/16

Status: Closed
Project: Central Authentication Service
Component/s: None
Affects Version/s: 1.3, 1.3.1
Fix Version/s: 1.3.2

Type: Bug Priority: Major
Reporter: Roman Kovařík Assignee: Milan Divilek
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File magnolia-module-cas-second.patch    
Issue Links:
causality
caused by MGNLCAS-18 Laundry list of CAS fixes Texas State... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Kromeriz 70
Story Points: 2

 Description   

nwing:

I've just reviewed all these changes, and they look good, except that the issue resolved by my second patch file is still an issue in your version.
To fix it, remove the session invalidation in CASClientCallback.handleUnauthorizedUser(). If we invalidate the session at that point, and the unauthorized URL is an element on the page, like an image, it will disrupt our Vaadin communications and they get the dreaded "Communication Error".



 Comments   
Comment by Nickolaus Wing [ 03/Oct/16 ]

Upped the priority on this because editors are quite prone to add broken images to their pages. After which they cannot fix the issue themselves because visiting the page logs them out.

Generated at Sun Feb 11 23:59:02 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.