isFullyAuthenticated() leads to redirect-loop #566
Comments
|
Anyone has a workaround (other than disabling remember-me)? |
|
Same happens with Grails 3.3.9 |
|
May I ask which browser(s) you are testing with? A video demonstrating it working as expected in Chrome may be viewed at https://drive.google.com/open?id=1WiYQjoKqL-ycvMNJ6Bbwm6c5kRpHuqc2 I tested this with:
|
|
I can reproduce the issue with Safari Version 12.0.3 (14606.4.5) |
|
Same here. Doesn't work with Safari. |
|
Thank-you everyone for your patience and your feedback... and the sample app demonstrating the problem! I've created a PR that will fix this issue. The PR is #571 |
ddelponte
added
type: bug
info: code review
closed: fixed
and removed
status: in progress
labels
|
I cherry picked the filter order change to |
|
Closing. The related PR has been merged to the 3.3.x branch and merged to master |
|
Changing the filter order is not the correct fix for this issue as "remember me" does not work at all currently. So, I'm reverting the commit and will continue to look for a solution to this issue that does not involve reordering the filters. |
|
This appears to be what is happening:
In a standard Spring Security setup RememberMeAuthenticationFilter just continues processing the FilterChain by making sure the successHandler is null. If you really want a successHandler to be set, it is your responsibility to avoid a redirect loop. Another point is that Grails LoginController will perform a redirect to success handler if the user is logged in which means the login page will not be displayed unless the user overrides the login page. |
|
@ddelponte please remove fixed label, as the problem is still unfixed. |
|
I am also encountering this issue, using the latest version of the plugin |
robertoschwald
changed the title
|
It seems like a very important problem. How can we use remember me while this issue is still unresolved? Why is this not a priority? At least some workaround would have been nice after 2+ years... |
|
Due to the fact that Grails has no traction and the momentum here has fallen off so far this year, I wouldn't expect too much. Feel free to open a pull request. |
|
Agree with you @aentwist about slow development/response sometimes by the Grails community but the link you shared (https://www.quora.com/Is-Grails-framework-dead) is quite old and there has been a big movement in terms of development in Grails framework which has made it far better and amazing. Requesting Grails community and maintainers of this plugin to pick this issue on high priority. (PS. I'm one of the commentators in that Quora question) |
|
Here is my workaround until the problem is resolved. The main symptom of this problem appears to be that when a resource secured with This has a side effect: if a remember-me authenticated user opens (or gets redirected to) the login page, they will actually see the login page, instead of being automatically redirected to |
In Grails 3.3.x, isFullyAuthenticated() / IS_FULLY_AUTHENTICATED rule does not work as expected.
When accessing a resource secured by isFullyAuthenticated() using remember-me, a redirect to LoginController.full() is expected, but a redirect loop between login and protected resource happens until the browser gives up.
Steps to Reproduce
Expected Behaviour
Re-login page is shown
Actual Behaviour
Redirect loop between login and protected resource happens until the browser gives up.
It seems no AuthenticationException is thrown on a remember-me access to a isFullyAuthenticated() resource, therefore LoginController.auth() is called, and not LoginController.full()
Environment Information
Example Application
Example simple project showing the problem see https://github.com/robertoschwald/spring-security-core-fully-auth-error
The text was updated successfully, but these errors were encountered: