Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-646

Improve LocationHeaderFilter to allow for redirects to locations outside of the application

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0, 3.1.0, 4.0.0
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
    • Support Ticket IDs:

      Description

      At the moment, the LocationHeaderFilter will re-write any redirect that is not back to OpenIG. This issue is to consider providing more flexibility around when to re-write the Location Header.

      Consider I am using ClientHandler or DispatchHandler. In either of those cases, I would be using BaseURI to indicate where the target website location is. In the LocationHeaderFilter, the baseURI would indicate the address of the OpenIG itself. E.g. OpenIG is deployed on proxy.example.com and target website is deployed on www.example.com. so baseURI in the handler would be www.example.com. The baseURI in the filter would be proxy.example.com.

      Look at the code from the LocationHeaderFilter.

      URI currentURI = new URI(header.toString()); 
      URI rebasedURI = Uris.rebase(currentURI, evaluateBaseUri(exchange)); 
      // Only rewrite header if it has changed 
      if (!currentURI.equals(rebasedURI)) { //replace the header here }
      

      Now there are two cases. that you should consider

      Case 1) currentURI = www.example.com - Self redirect
      Case 2) currentURI = www.foo.com - Redirect to somewhere outside

      In case 1 and case 2 both, the rebasedURI will be same i.e. proxy.example.com. Which is incorrect. In case 2, it should remain as www.foo.com. If we dont do that then in that case we are telling user to come back to proxy.example.com or in other words, user will never be able to go outside of the site that OpenIG controls.

      Now the question is that how will location filter know when to do the replacement. There are two options that I can think of
      Option A) Get baseURI from the handler. If the location header starts with the baseURI from handler then replace that prefix with the baseURI of the filter. Do not rebase here as it will not work if OpenIG is not deployed as root webapp.
      Option B) Introduce additional property for the filter which tells when to replace the header. In other words if you cant read the handler baseURI then pass handler baseURI as a parameter to the filter.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              markdr Mark de Reeper
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: