Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24645

Proper detection of requested page for login

    XMLWordPrintable

    Details

    • Release Notes Summary:
      The page requested after login is correctly detected by the NuxeoAuthenticationFilter.
    • Tags:
    • Sprint:
      nxFG 10.1.2
    • Story Points:
      5

      Description

      NuxeoAuthenticationFilter.getRequestedPage does not correctly analyze the requested URL to deduce the requested page.

      The impact is that the authentication filter could fail to properly redirect to the login page or return a 401, and instead serve the requested URL directly. However this is not in itself a security issue, as the user is still not authenticated in this case.

      Parsing of URL and the servlet spec is detailed here:
      https://stackoverflow.com/questions/4931323/whats-the-difference-between-getrequesturi-and-getpathinfo-methods-in-httpservl#21046620
      https://codebox.net/pages/java-servlet-url-parts

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-19267 Nuxeo URL should not insert `_old` over and over.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day
                  1d