Shiro
  1. Shiro
  2. SHIRO-406

Redirected to the wrong url after successful login

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Not a Problem
    • Affects Version/s: 1.2.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      jboss 7, hibernate 4, jsf2, primfaces

      Description

      Navigate to a secure page that requires the user to be logged in, the user is redirected to the login page, after successful login the user is redirected to a primfaces js page.

      Cause
      This occurs when the login page is contained within a secured url, if the login page contains any external links e.g. js,css one of these will end up being the saved request.

      I think this is the wrong behaviour, if the login page is treated as a special case (as it seems to be) then the request that caused it to be invoked should remain as the saved request, subsequent requests for secure content by the login page should not be saved or provided.

      As this is essentially user mis-configuration it could be prevented by not having the login page as a special case, if it is located at a secure url nothing will happen.

        Activity

        Hide
        Les Hazlewood added a comment -

        Hi Alex,

        Do you have a very simple test that we can use to replicate this? I do not use JSF, so in order for me to fix this (which I'm happy to do), I'll need something that can demonstrate the problem that I can use to verify a fix.

        Show
        Les Hazlewood added a comment - Hi Alex, Do you have a very simple test that we can use to replicate this? I do not use JSF, so in order for me to fix this (which I'm happy to do), I'll need something that can demonstrate the problem that I can use to verify a fix.
        Hide
        Les Hazlewood added a comment -

        Alex - any update on this? I'm happy to include a fix in 1.2.2 if you can help us recreate the issue.

        Show
        Les Hazlewood added a comment - Alex - any update on this? I'm happy to include a fix in 1.2.2 if you can help us recreate the issue.
        Hide
        Alex Edwards added a comment -

        So this was a configuration issue.

        so for example if i secured /** = authc using shiro and added a more specific rule for /login.html = anon and set this as the login page. If the login page contains any css or js files once logged in I will be redirected to the last script it loaded.

        Now that I understand what is happening it seems like desired behaviour but it was confusing until i realised this.

        Show
        Alex Edwards added a comment - So this was a configuration issue. so for example if i secured /** = authc using shiro and added a more specific rule for /login.html = anon and set this as the login page. If the login page contains any css or js files once logged in I will be redirected to the last script it loaded. Now that I understand what is happening it seems like desired behaviour but it was confusing until i realised this.
        Hide
        Les Hazlewood added a comment -

        Resolving due to configuration issue. Alex - if there was something we could have done to make this more clear (e.g. update the docs somehow), please let us know.

        Show
        Les Hazlewood added a comment - Resolving due to configuration issue. Alex - if there was something we could have done to make this more clear (e.g. update the docs somehow), please let us know.

          People

          • Assignee:
            Unassigned
            Reporter:
            Alex Edwards
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development