Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Auth Core 1.0.6
-
None
Description
The AuthUtil.isRedirectValid is built to validate the target path such that the requests's context path is expected to be part of the target path. The AuthUtil.sendRedirect method on the other hand is built to not expect servlet context path.
This causes redirect failures if the Sling application is deployed in a non-root servlet context: If a path is supplied without a servlet context path, validation check fails and the redirect goes to the duplicated context path. If a path is supplied with a servlet context path, validation succeeds, but redirect goes to a path prefixed with duplicate context path, too.
In essence, the isRedirectValid and sendRedirect should be symmetric in that they both require the target path to be prefixed with the servlet context path.
The old AbstractAuthenticationHandler.sendRedirect method cannot be thus changed and so remains accepting the target path without the servlet context path. But before calling the new AuthUtil.sendRedirect method, the servlet context path is prefixed to the target path to comply with the new spec of the AuthUtil.sendRedirect method.