shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Edwards (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-406) Redirected to the wrong url after successful login
Date Sun, 05 May 2013 19:16:16 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13649392#comment-13649392
] 

Alex Edwards commented on SHIRO-406:
------------------------------------

So this was a configuration issue.

so for example if i secured /** = authc using shiro and added a more specific rule for /login.html
= anon and set this as the login page. If the login page contains any css or js files once
logged in I will be redirected to the last script it loaded.

Now that I understand what is happening it seems like desired behaviour but it was confusing
until i realised this.
                
> Redirected to the wrong url after successful login
> --------------------------------------------------
>
>                 Key: SHIRO-406
>                 URL: https://issues.apache.org/jira/browse/SHIRO-406
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.2.1
>         Environment: jboss 7, hibernate 4, jsf2, primfaces
>            Reporter: Alex Edwards
>            Priority: Minor
>
> Navigate to a secure page that requires the user to be logged in, the user is redirected
to the login page, after successful login the user is redirected to a primfaces js page.
> Cause
> This occurs when the login page is contained within a secured url, if the login page
contains any external links e.g. js,css one of these will end up being the saved request.
> I think this is the wrong behaviour, if the login page is treated as a special case (as
it seems to be) then the request that caused it to be invoked should remain as the saved request,
subsequent requests for secure content by the login page should not be saved or provided.
> As this is essentially user mis-configuration it could be prevented by not having the
login page as a special case, if it is located at a secure url nothing will happen.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message