Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use absolute URI for the login page forward call #696

Merged
merged 2 commits into from Feb 28, 2017
Merged

Don't use absolute URI for the login page forward call #696

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6a9bf66
Don't use absolute URI for the login page forward call
stuartwdouglas Feb 27, 2017
a70c41a
Make form auth logout work correctly
stuartwdouglas Feb 27, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
29 changes: 15 additions & 14 deletions src/main/java/org/wildfly/security/http/impl/FormAuthenticationMechanism.java
View file
Open in desktop
Expand Up @@ -170,7 +170,8 @@ private void attemptAuthentication(HttpServerRequest request) throws HttpAuthent
char[] passwordChars = password.toCharArray();
try {
if (authenticate(null, username, passwordChars)) {
if (authorize(username, request)) {
IdentityCache identityCache = createIdentityCache(request, true);
if (authorize(username, request, identityCache)) {
log.debugf("User %s authenticated successfully using FormAuthenticationMechanism!", username);
succeed();
HttpScope session = getSessionScope(request, true);
Expand All @@ -197,7 +198,7 @@ private void attemptAuthentication(HttpServerRequest request) throws HttpAuthent
responder = (response) -> sendRedirect(response, postAuthenticationPath);
}

request.authenticationComplete(responder);
request.authenticationComplete(responder, identityCache::remove);
return;
} else {
failAndRedirectToErrorPage(request, username);
Expand All @@ -215,10 +216,9 @@ private void attemptAuthentication(HttpServerRequest request) throws HttpAuthent
}
}

private boolean authorize(String username, HttpServerRequest request) throws HttpAuthenticationException {
private boolean authorize(String username, HttpServerRequest request, IdentityCache identityCache) throws HttpAuthenticationException {
log.tracef("Authorizing username: [%s], Request URI: [%s], Context path: [%s]", username, request.getRequestURI(), this.contextPath);

IdentityCache identityCache = createIdentityCache(request, true);
if (identityCache != null) {
CachedIdentityAuthorizeCallback authorizeCallback = new CachedIdentityAuthorizeCallback(username, identityCache);
try {
Expand Down Expand Up @@ -257,7 +257,7 @@ private boolean attemptReAuthentication(HttpServerRequest request) throws HttpAu
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
request.authenticationComplete();
request.authenticationComplete(null, identityCache::remove);
return true;
}
}
Expand Down Expand Up @@ -298,20 +298,13 @@ void sendLogin(HttpServerRequest request, HttpServerResponse response) throws Ht
request.suspendRequest();
}

StringBuilder sb = new StringBuilder();
sb.append(requestURI.getScheme());
sb.append("://");
sb.append(requestURI.getHost());
sb.append(':').append(requestURI.getPort());
sb.append(loginPage);
sendPage(sb.toString(), request, response);
sendPage(loginPage, request, response);
}

void sendPage(String page, HttpServerRequest request, HttpServerResponse response) throws HttpAuthenticationException {
if (response.forward(page)) {
return;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see why you have needed to remove this as we need to cope with both a forward and direct resource access within sendPage but at the very end of sendPage we fall through so sendRedirect I think we need it to be back to a URI at that point.


// Work out how and send the login page.
HttpScope application = request.getScope(Scope.APPLICATION);
if (application != null && application.supportsResources()) {
Expand All @@ -333,7 +326,15 @@ void sendPage(String page, HttpServerRequest request, HttpServerResponse respons
}
}

sendRedirect(response, contextPath + page);
URI requestURI = request.getRequestURI();
StringBuilder sb = new StringBuilder();
sb.append(requestURI.getScheme());
sb.append("://");
sb.append(requestURI.getHost());
sb.append(':').append(requestURI.getPort());
sb.append(contextPath);
sb.append(page);
sendRedirect(response, sb.toString());
}

private void sendRedirect(HttpServerResponse response, String location) {
Expand Down
22 changes: 22 additions & 0 deletions src/main/java/org/wildfly/security/http/util/sso/SingleSignOnServerMechanismFactory.java
View file
Open in desktop
Expand Up @@ -159,6 +159,28 @@ public void authenticationComplete(HttpServerMechanismsResponder responder) {
});
}

@Override
public void authenticationComplete(HttpServerMechanismsResponder responder, Runnable logoutHandler) {
request.authenticationComplete(response -> {
try {
String id = singleSignOnSession.getId();
if (id != null) {
HttpServerCookie cookie = getCookie(request);

if (cookie == null) {
response.setResponseCookie(createCookie(id, -1));
}
}

if (responder != null) {
responder.sendResponse(response);
}
} finally {
singleSignOnSession.close();
}
}, logoutHandler);
}

@Override
public void authenticationFailed(String message, HttpServerMechanismsResponder responder) {
request.authenticationFailed(message, response -> {
Expand Down