[ 
https://issues.apache.org/jira/browse/SLING-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Felix Meschberger reopened SLING-2126:
--------------------------------------


This solution is problematic and violates common agreements of the Semantic 
Versioning Whitepaper.

So I will revert it and introduce a new utility class in the 
org.apache.sling.auth.core package. This package is exported to expose a 
service provided by the auth core bundle and thus other bundles will always 
only be clients to this package.

Details: An exported API package's version should be increased on the minor 
level if new API is added, regardless of the kind of API. Micro version 
increase is only intended for bug fixes (like fixing bugs in code of exported 
classes). Hence adding new API is extremely problematic.
                
> Apply some validation to requested redirects after authentication
> -----------------------------------------------------------------
>
>                 Key: SLING-2126
>                 URL: https://issues.apache.org/jira/browse/SLING-2126
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Auth Core 1.0.6
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>             Fix For: Auth Core 1.0.8
>
>
> Currently the DefaultAuthenticationFeedbackHandler.handleRedirect and 
> AbstractAuthenticationHandler.sendRedirect methods do not apply any validity 
> checks on the requested redirect target.
> We should apply some checks to ensure a valid target is accessible within the 
> Sling application. If the target is not valid, the methods would redirect to 
> the servlet context root path -- obeying the contract for redirecting the 
> client but not necessairily to the desired target. In any case an ERROR level 
> message is written to the log indicating why the redirect target is not being 
> honoured.
> This check should be made available to AuthenticationHandler implementations 
> such that they may apply checks to their own redirects.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Reply via email to