Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25500

Infinite redirect loop and inconsistent behavior when using Anonymous user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 9.10
    • Fix Version/s: 10.10
    • Component/s: Web Common

      Description

      Description of the issue

      When the Anonymous user is activated there the login/logout behavior can give unexpected results:

      • infinite redirect loop
      • login/logout not working

      Mika build a Docker Compose to help reproduce:
      https://github.com/nuxeo-sandbox/docker-nuxeo-guest

      Steps:

      • open a guest/anonymous tab in chrome (so there is no previous cookies)
      • go to http://localhost:8080, you are on the home page as user Guest
      • open the webui drawer and click on sign out
      • you are redirected to the login page (don't log in)
      • hit the back button

      What happens

      Looking at this via WireShark the redirect loop is clear:

      GET /nuxeo/login.jsp?forceAnonymousLogin=true&requestedUrl=ui%2F%3FforceAnonymousLogin%3Dtrue HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:8080/nuxeo/ui/?forceAnonymousLogin=true
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=886E1E72E3EBCD38BCACDAA24793604E.nuxeo; org.jboss.seam.core.TimeZone=Europe/Berlin; nuxeo.start.url.fragment=

HTTP/1.1 302 
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=10; IE=11
Cache-Control: no-cache, no-store, must-revalidate
X-Content-Type-Options: nosniff
Content-Security-Policy: img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
X-XSS-Protection: 1; mode=block
Location: http://127.0.0.1:8080/nuxeo/ui/?forceAnonymousLogin=true
Content-Length: 0
Date: Fri, 27 Jul 2018 10:16:02 GMT

GET /nuxeo/ui/?forceAnonymousLogin=true HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:8080/nuxeo/ui/?forceAnonymousLogin=true
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=886E1E72E3EBCD38BCACDAA24793604E.nuxeo; org.jboss.seam.core.TimeZone=Europe/Berlin; nuxeo.start.url.fragment=

HTTP/1.1 401 
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=10; IE=11
Cache-Control: no-cache, no-store, must-revalidate
X-Content-Type-Options: nosniff
Content-Security-Policy: img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=UTF-8
Content-Length: 295
Date: Fri, 27 Jul 2018 10:16:02 GMT

<script type="text/javascript">
document.cookie = 'nuxeo.start.url.fragment=' + encodeURIComponent(window.location.hash.substring(1) || '') + '; path=/';
window.location = 'http://127.0.0.1:8080/nuxeo/login.jsp?forceAnonymousLogin=true&requestedUrl=ui%2F%3FforceAnonymousLogin%3Dtrue';
</script>

GET /nuxeo/login.jsp?forceAnonymousLogin=true&requestedUrl=ui%2F%3FforceAnonymousLogin%3Dtrue HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:8080/nuxeo/ui/?forceAnonymousLogin=true
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=886E1E72E3EBCD38BCACDAA24793604E.nuxeo; org.jboss.seam.core.TimeZone=Europe/Berlin; nuxeo.start.url.fragment=

HTTP/1.1 302 
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=10; IE=11
Cache-Control: no-cache, no-store, must-revalidate
X-Content-Type-Options: nosniff
Content-Security-Policy: img-src data: blob: *; default-src blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
X-XSS-Protection: 1; mode=block
Location: http://127.0.0.1:8080/nuxeo/ui/?forceAnonymousLogin=true
Content-Length: 0
Date: Fri, 27 Jul 2018 10:16:02 GMT

      Issue

      The issue is inside the ExternalRequestFilter that decides to redirect to the requested page if there is a valid UserIdent: the logic is ok but break in the case of the anonymous user.

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. NXP-24449 Fix infinite redirect loop when anonymous user signs out and wants to come back

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. NXP-23246 URL fragment in redirect URI lost in authentication filter

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: