diff options
author | Shawn Pearce <sop@google.com> | 2013-04-23 15:02:14 -0700 |
---|---|---|
committer | Shawn Pearce <sop@google.com> | 2013-04-23 15:02:14 -0700 |
commit | fbde62739022a4336fff84fa8b3ac5d359f7e6a1 (patch) | |
tree | 5fb10f5daf0814b83c61e9a2cd93cb73ce9cba57 /gerrit-httpd | |
parent | 98c89249c574d7a37c52825b9bb368cda35eca33 (diff) |
Fix login redirect loop when auth.type = HTTP
In commit eb81d926 I modified the HttpAuthFilter to verify not
only the Gerrit session cookie was valid, but also to confirm the
session matches the username supplied by the container or reverse
proxy web server.
This check fails on Apache servers that use the recommended setting
of required user only on <Location /login/>. Browsers will not send
the Authorization header to /, so the remote user is null and Gerrit
thinks the session was not valid.
Commit eb81d926 added this check to handle SSO cases where every
request is authenticated and the user has performed some SSO action
to switch user identities as described in issue 1822.
Handle both cases more gracefully by only checking the username if
the container is supplying one.
Bug: issue 1862
Change-Id: Iad020049d7ba8a19d6f9c627ecf0d9df62aafafc
Diffstat (limited to 'gerrit-httpd')
-rw-r--r-- | gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java index f6cd8c1805..adca95e66e 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpAuthFilter.java @@ -119,14 +119,17 @@ class HttpAuthFilter implements Filter { WebSession session = sessionProvider.get(); if (session.isSignedIn()) { String user = getRemoteUser(req); - AccountExternalId.Key id = session.getLastLoginExternalId(); - return user != null - && id != null - && id.equals(new AccountExternalId.Key(SCHEME_GERRIT, user)); + return user == null || correctUser(user, session); } return false; } + private static boolean correctUser(String user, WebSession session) { + AccountExternalId.Key id = session.getLastLoginExternalId(); + return id != null + && id.equals(new AccountExternalId.Key(SCHEME_GERRIT, user)); + } + String getRemoteUser(HttpServletRequest req) { if (AUTHORIZATION.equals(loginHeader)) { String user = emptyToNull(req.getRemoteUser()); |