[jira] [Created] (SLING-10383) Do not check for redirect loops when a login fails due to an expired token

Robert Munteanu (Jira) Mon, 17 May 2021 04:51:05 -0700

Robert Munteanu created SLING-10383:
---------------------------------------


             Summary: Do not check for redirect loops when a login fails due to 
an expired token
                 Key: SLING-10383
                 URL: https://issues.apache.org/jira/browse/SLING-10383
             Project: Sling
          Issue Type: Improvement
          Components: Authentication
            Reporter: Robert Munteanu
            Assignee: Robert Munteanu
             Fix For: Auth Core 1.5.4


Authentication tokens issued by Oak ( 
https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html
 ) have an expiry time. The following scenario can happen:
- user is logged in to page at /content/foo.html
- authentication token expires
- user clicks to a link that takes them to the same page - /content/foo.html

Due to the {{Referer}} header check in 
[SlingAuthenticator.isLoginLoop|https://github.com/apache/sling-org-apache-sling-auth-core/blob/a9280cc00465b6880f2993bcaf206e1c29e19de0/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java#L1106-L1118]
 the request is considered as part of a loop and does not trigger a redirect to 
the login page.

We should skip the loop check for expired credentials instead and allow the 
redirect login to be created.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10383) Do not check for redirect loops when a login fails due to an expired token

Reply via email to