[MGNLSSO-218] Upload requests attempt to start an indirect flow Created: 13/Dec/22  Updated: 16/Feb/23  Resolved: 19/Jan/23

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.1

Type: Bug Priority: Neutral
Reporter: Mikaël Geljić Assignee: Mikaël Geljić
Resolution: Fixed Votes: 0
Labels: cs-bk
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Problem/Incident
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-225 Implementation Technical task Completed Evzen Fochr  
MGNLSSO-226 Review Technical task Completed Nguyen Phung Chi  
MGNLSSO-227 PiQA Technical task Completed Nguyen Phung Chi  
MGNLSSO-228 Final QA Technical task Completed Enrique Espana  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Documentation update required:
Yes
Date of First Response:
Epic Link: SSO maintenance
Sprint: AdminX 27
Story Points: 3
Team: AdminX
Work Started:

 Description   

Since MGNLSSO-98, we filter out most Vaadin requests to prevent them from starting an indirect login flow, going to the IdP. Instead, these requests are already assumed authenticated via session tracking (JSESSIONID & other protection measures such as csrf).

see AuthenticationServicePathMatcher & tests.

Current logic is to start the flow if:

  • Sec-Fetch-Mode header is navigate (indicates a user-originated request, as opposed to loaded from script)
  • otherwise if the header above is unset, exclude typical Vaadin requests (UIDL, HEARTBEAT, PUSH, etc.)

There is one case where this falls short: upload. Sec-Fetch-Mode is indeed navigate, so Vaadin request matching is not attempted, and /APP/UPLOAD would not be excluded anyway.



 Comments   
Comment by Evzen Fochr [ 20/Jan/23 ]

Not yet released, it is in staging and I am working on final test. Will inform you later on slack.

 

Generated at Mon Feb 12 10:52:12 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.