[OPENAM-3660] RedirectCallbackHander uses HttpServletRequest.getRequestURL to construct AM_REDIRECT_BACK_SERVER_URL - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 11.0.0
Fix Version/s: 10.0.3, 11.0.2, 12.0.0
Component/s: authentication
Labels:
- release-notes

Support Ticket IDs:

Description

RedirectCallbackHandler

public void handleRedirectCallback(HttpServletRequest request, HttpServletResponse response,
RedirectCallback redirectCallback, String loginURL) throws IOException {

if (debug.messageEnabled())

{ debug.message("Redirect to external web site..."); debug.message("RedirectUrl : " + redirectCallback.getRedirectUrl() + ", RedirectMethod : " + redirectCallback.getMethod() + ", RedirectData : " + redirectCallback.getRedirectData()); }

String qString = AuthUtils.getQueryStrFromParameters(redirectCallback.getRedirectData());

String requestURL = request.getRequestURL().toString();
String requestURI = request.getRequestURI();
int index = requestURL.indexOf(requestURI);

HttpServletRequest.getRequestURL returns protocol://hostname of the server hosting the servlet and not what's displayed on browser. So if OpenAM server is behind reverse proxy, it will return wrong URL.

Attachments

Issue Links

is related to

OPENAM-3659 OAuth2 auth module uses HttpServletRequest.getRequestURL() to construct ORIG_URL cookie

Resolved

relates to

OPENAM-5130 OAuth2 authorization will redirect using scheme://hostname:port of OpenAM server rather than reverse proxy

Resolved

OPENAM-5237 OAuth2 authorization consent page uses absolute URL in FORM tag

Resolved

Activity

People

Assignee:

Sachiko Wallace

Reporter:

Sachiko Wallace

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

18/Feb/14 8:28 PM

Updated:

20/Nov/16 12:18 PM

Resolved:

15/Apr/14 10:39 PM