Issue #4227 - do not use encodeRedirectURL for openid redirects (#4233)

* Issue #4227 - do not use encodeRedirectURL for openid redirects Signed-off-by: Lachlan Roberts <[email protected]> * changes from review Signed-off-by: Lachlan Roberts <[email protected]>
jetty · Oct 22, 2019 · a9e543c · a9e543c
1 parent add8ffc
commit a9e543c
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
@@ -246,6 +246,16 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
 
         try
         {
+            if (request.isRequestedSessionIdFromURL())
+            {
+                if (LOG.isDebugEnabled())
+                    LOG.debug("Session ID should be cookie for OpenID authentication to work");
+
+                int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
+                baseResponse.sendRedirect(redirectCode, URIUtil.addPaths(request.getContextPath(), _errorPage));
+                return Authentication.SEND_FAILURE;
+            }
+
             // Handle a request for authentication.
             if (isJSecurityCheck(uri))
             {
@@ -288,7 +298,7 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
 
                         response.setContentLength(0);
                         int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-                        baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(nuri));
+                        baseResponse.sendRedirect(redirectCode, nuri);
                         return openIdAuth;
                     }
                 }
@@ -308,7 +318,7 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
                     if (LOG.isDebugEnabled())
                         LOG.debug("auth failed {}", _errorPage);
                     int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-                    baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _errorPage)));
+                    baseResponse.sendRedirect(redirectCode, URIUtil.addPaths(request.getContextPath(), _errorPage));
                 }
 
                 return Authentication.SEND_FAILURE;
@@ -399,7 +409,7 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
             if (LOG.isDebugEnabled())
                 LOG.debug("challenge {}->{}", session.getId(), challengeUri);
             int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-            baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(challengeUri));
+            baseResponse.sendRedirect(redirectCode, challengeUri);
 
             return Authentication.SEND_CONTINUE;
         }