CAS login request exposes internal server URL

Description

The CAS plugin when logging in constructs a URL like

http://external-server/cas-server/login?service=http://internal-server:8080/geoserver - http://external-server/cas-server/login?service=http://internal-server:8080/geoserver
instead of
http://external-server/cas-server/login?service=http://external-server/geoserver - http://external-server/cas-server/login?service=http://external-server/geoserver

The plugin doesn't take into account the PROXY_BASE_URL context parameter or the Proxy Base URL value in the global settings. The callback URL comes from the java http request object.

Environment

None

Activity

Show:
codehaus
April 10, 2015, 4:31 PM

CodeHaus Comment From: aaime - Time: Sat, 22 Mar 2014 09:31:35 -0500
---------------------
<p>The pull request <a href="https://github.com/geoserver/geoserver/pull/395" class="external-link" rel="nofollow">https://github.com/geoserver/geoserver/pull/395</a> contains a commit to fix this one, but lacks a test</p>

codehaus
April 10, 2015, 4:31 PM

CodeHaus Comment From: christian.mueller@nvoe.at - Time: Sun, 6 Apr 2014 05:54:11 -0500
---------------------
<p>The patch contains a line </p>

<p>String proxyBaseUrl = request.getSession(true).getServletContext().getInitParameter("PROXY_BASE_URL");</p>

<p>This may create a an HTTP session, even if an HTTP session is not needed.</p>

<p>AFAIK, since Servlet 3.0 you can use request.getServletContext() avoiding session creation.</p>

<p>I am not sure how to continue. </p>

<p>Opinions ?</p>

Andrea Aime
February 15, 2017, 11:51 AM

Mass closing all resolved issues not modified in the last 4 weeks

Assignee

Unassigned

Reporter

codehaus

Triage

None

Fix versions

Affects versions

Components

Priority

Low
Configure