[OPENAM-3660] RedirectCallbackHander uses HttpServletRequest.getRequestURL to construct AM_REDIRECT_BACK_SERVER_URL Created: 18/Feb/14  Updated: 20/Nov/16  Resolved: 15/Apr/14

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 11.0.0
Fix Version/s: 10.0.3, 11.0.2, 12.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-5130 OAuth2 authorization will redirect us... Resolved
relates to OPENAM-5237 OAuth2 authorization consent page use... Resolved
is related to OPENAM-3659 OAuth2 auth module uses HttpServletRe... Resolved
Support Ticket IDs:

 Description   

RedirectCallbackHandler

public void handleRedirectCallback(HttpServletRequest request, HttpServletResponse response,
RedirectCallback redirectCallback, String loginURL) throws IOException {

if (debug.messageEnabled())

{ debug.message("Redirect to external web site..."); debug.message("RedirectUrl : " + redirectCallback.getRedirectUrl() + ", RedirectMethod : " + redirectCallback.getMethod() + ", RedirectData : " + redirectCallback.getRedirectData()); }

String qString = AuthUtils.getQueryStrFromParameters(redirectCallback.getRedirectData());

String requestURL = request.getRequestURL().toString();
String requestURI = request.getRequestURI();
int index = requestURL.indexOf(requestURI);

HttpServletRequest.getRequestURL returns protocol://hostname of the server hosting the servlet and not what's displayed on browser. So if OpenAM server is behind reverse proxy, it will return wrong URL.



 Comments   
Comment by Peter Major [X] (Inactive) [ 19/Feb/14 ]

I think we should only save the relative path of the URL and leave the rest to the container/reverse proxy to sort out.

Generated at Sat Nov 28 21:58:50 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.