[OPENAM-3660] RedirectCallbackHander uses HttpServletRequest.getRequestURL to construct AM_REDIRECT_BACK_SERVER_URL Created: 18/Feb/14  Updated: 20/Nov/16  Resolved: 15/Apr/14

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 11.0.0
Fix Version/s: 10.0.3, 11.0.2, 12.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-5130 OAuth2 authorization will redirect us... Resolved
relates to OPENAM-5237 OAuth2 authorization consent page use... Resolved
is related to OPENAM-3659 OAuth2 auth module uses HttpServletRe... Resolved
Rank: 1|hzoag7:
Support Ticket IDs:



public void handleRedirectCallback(HttpServletRequest request, HttpServletResponse response,
RedirectCallback redirectCallback, String loginURL) throws IOException {

if (debug.messageEnabled())

{ debug.message("Redirect to external web site..."); debug.message("RedirectUrl : " + redirectCallback.getRedirectUrl() + ", RedirectMethod : " + redirectCallback.getMethod() + ", RedirectData : " + redirectCallback.getRedirectData()); }

String qString = AuthUtils.getQueryStrFromParameters(redirectCallback.getRedirectData());

String requestURL = request.getRequestURL().toString();
String requestURI = request.getRequestURI();
int index = requestURL.indexOf(requestURI);

HttpServletRequest.getRequestURL returns protocol://hostname of the server hosting the servlet and not what's displayed on browser. So if OpenAM server is behind reverse proxy, it will return wrong URL.

Comment by Peter Major [X] (Inactive) [ 19/Feb/14 ]

I think we should only save the relative path of the URL and leave the rest to the container/reverse proxy to sort out.

Generated at Mon Mar 01 18:32:42 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.