Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1083

Using Federation redirects with the valid goto URL whitelist causes problems

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Express8, Snapshot9, Snapshot9.5, Snapshot9.5.1, Snapshot9.5.2_RC1, Snapshot9.5.2, 9.5.3_RC1, 9.5.3, 9.5.4_RC1, 9.5.4
    • 9.5.5, 10.0.2, 11.0.0
    • authentication
    • Rank:
      1|hzn46n:
    • Sprint 3

      Description

      If you have whitelist goto url validation turned on then if the AuthUI forwarding is being used by federation, post successful login you'll will get a 404 since the Auth UI will consider the goto URL to be invalid.

      amAuth:01/27/2012 11:47:19:017 AM GMT: Thread[httpSSLWorkerThread-80-4,10,Grizzly]
      LoginState.getSuccessLoginURL():Original goto URL is /SSORedirect/metaAlias/idp?ReqID=_6fc75ee09043784223f47245f11158c0 which is invalid

      If you add /SSORedirect/* to the valid goto URL list, it will still not work; you'll see this:

      patternMatching:01/27/2012 12:12:02:486 PM GMT: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
      URLPatternMatcher.match(/SSORedirect/metaAlias/idp?ReqID=_3dd8d3e62f689f6a971e7218aaa002fa): matching by pattern: /SSORedirect/*
      patternMatching:01/27/2012 12:12:02:486 PM GMT: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
      HttpURLResourceName.compare: request resource=/SSORedirect/metaAlias/idp?ReqID=_3dd8d3e62f689f6a971e7218aaa002fa; policy resource=/SSORedirect/*
      patternMatching:01/27/2012 12:12:02:486 PM GMT: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
      HttpURLResourceName.compare: request resource substring1=/SSORedirect/metaAlias/idp; request resource substring2=ReqID=_3dd8d3e62f689f6a971e7218aaa002fa; policy resource substring1=/SSORedirect/*; policy resource substring2=null
      patternMatching:01/27/2012 12:12:02:486 PM GMT: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
      HttpURLResourceName.compare: request resource=/SSORedirect/metaAlias/idp; policy resource=/SSORedirect/*
      patternMatching:01/27/2012 12:12:02:486 PM GMT: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
      HttpURLResourceName.compare: result=wildcard_match

      But then the method returns with false. Further debugging shows that the wildcard_match is found as part of the recursive call and the actual return value is super_resource_match. URLPatternMatcher should allow for this return value.

        Attachments

          Issue Links

            Activity

              People

              steve Steve Ferris
              steve Steve Ferris
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: