Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-3505

Bad redirection from logout action

    Details

    • Attachments:
      0
    • Comments:
      9
    • Documentation Status:
      Not Required

      Description

      UnAuthenticateAction.act() can cause a redirect loop if XMLUI is at the root (i.e. https://dspace.example.com/ not https://dspace.example.com/xmlui). After logging the user out, it redirects to the value of HttpServletRequest.getContextPath(), which for a root application is "", which is the relative path for "this page (again)". It should simply redirect to the value of dspace.url.

      Noted in passing: we don't document where you should expect to land after logging out.

      Noted in passing: act() tests an undocumented configuration value 'xmlui.public.logout' which appears nowhere else in the source kit, and if true, pastes up a complete URL using the context path and a constant 'http' scheme. This can be wrong if dspace.url uses the 'https' scheme, and it's likely never used anywhere anyway since you'd only know of it by reading the code. The intent here seems to be to force the session out of SSL – why, I can't imagine.

        Attachments

          Activity

            People

            • Assignee:
              mwood Mark H. Wood
              Reporter:
              mwood Mark H. Wood
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: