Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.4.23.CR1, 7.4.23.GA
Affects Version/s: None
Component/s: Security
Labels:
- regression_test_only

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
-
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/2269
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The FormAuthenticationMechanism constructs the redirect URL including the following line:

sb.append(requestURI.getPath());

If the original request URL included any escaped characters these will have been lost by the call to getPath() meaning the Location sent back to the caller after authentication will be invalid.

Instead we need to call getRawPath() if we want to include it in the string concatenation.

clones

JBEAP-29571 [GSS](8.0.z) WFLY-20433 - Unescaped characters throw a NPE although allowed in settings

Verified

ELY-2894 FormAuthenticationMechanism needs to use getRawPath for redirect URL

Resolved

is incorporated by

JBEAP-29862 (7.4.z) Upgrade WildFly Elytron from 1.15.25.Final-redhat-00001 to 1.15.26.Final-redhat-00001

Closed

Assignee:: Ilia Vassilev

Reporter:: Darran Lofthouse

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/04/05 1:13 PM

Updated:: 2025/07/11 3:14 PM

Resolved:: 2025/04/05 1:15 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates