Skip to content

SPAs - redirect to login page if unauthorized. (#4554)#4585

Merged
varshavaradarajan merged 1 commit intogocd:masterfrom
varshavaradarajan:spas-redirect-to-login-page
Apr 6, 2018
Merged

SPAs - redirect to login page if unauthorized. (#4554)#4585
varshavaradarajan merged 1 commit intogocd:masterfrom
varshavaradarajan:spas-redirect-to-login-page

Conversation

@varshavaradarajan
Copy link
Contributor

@varshavaradarajan varshavaradarajan commented Mar 29, 2018

No description provided.

@varshavaradarajan
Copy link
Contributor Author

varshavaradarajan commented Apr 3, 2018

Closing this as upon logging in, the url it goes to is /go/api/dashboard. Not sure how to block some urls from being remembered in the session. @ketan said he'll take care of it with the new security implementation as part of the spring security upgrade. Can be reopened if needed.

@ketan
Copy link
Member

ketan commented Apr 3, 2018

This PR is still relevant. What needs fixing is the server side "remember url" logic.

@ketan ketan reopened this Apr 3, 2018
ketan
ketan reviewed Apr 3, 2018
View reviewed changes
server/webapp/WEB-INF/rails.new/webpack/models/mixins/crud_mixins.js Outdated
});
};

const redirectToLoginPageIfUnauthorized = function(jqXHR) {
Copy link
Member

@ketan ketan Apr 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're using $.ajax. We can probably add a global handler, if you like. http://api.jquery.com/category/ajax/global-ajax-event-handlers/.

@ketan
Copy link
Member

ketan commented Apr 3, 2018

Also — this might be relevant —

gocd/server/webapp/WEB-INF/applicationContext-acegi-security.xml

Line 339 in 20c2d6d

<property name="urlPatternsThatShouldNotBeRedirectedToAfterLogin" value="(\.json)|(\?.*format=json)|(/images/)|(\.css)|(\.ico)|(\.js)|(/auth/login)|(/auth/logout)"/>

@varshavaradarajan varshavaradarajan force-pushed the spas-redirect-to-login-page branch 2 times, most recently from 6384d6f to a5a909b Compare April 5, 2018 08:10
ketan
ketan reviewed Apr 5, 2018
View reviewed changes
server/src/main/java/com/thoughtworks/go/server/security/GoExceptionTranslationFilter.java Outdated
}

private boolean isAnApiRequest(HttpServletRequest httpRequest) {
return httpRequest.getRequestURI().contains("/api/");
Copy link
Member

@ketan ketan Apr 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd probably err on the side of doing a startsWith to avoid situations where you're accessing files/:pipeline_name/:pipeline_counter/:stage_name/:stage_counter/:job_name/foo/api/index.html

ketan
ketan reviewed Apr 5, 2018
View reviewed changes
server/webapp/WEB-INF/applicationContext-acegi-security.xml

/cctray.xml=modeAwareFilter,i18nlocaleResolver,httpSessionContextIntegrationFilter,apiSessionFilter,goLogoutFilter,removeAdminPermissionFilter,oauthProcessingFilter,basicProcessingFilter,authenticationProcessingFilter,reAuthenticationFilter,userEnabledCheckFilter,anonymousProcessingFilter,basicAuthenticationAccessDenied,denyGoCDAccessForArtifactsFilter,sessionFixationProtectionFilter,filterInvocationInterceptor,flashLoader,urlRewriter
/api/**=modeAwareFilter,i18nlocaleResolver,httpSessionContextIntegrationFilter,apiSessionFilter,goLogoutFilter,removeAdminPermissionFilter,oauthProcessingFilter,basicProcessingFilter,authenticationProcessingFilter,reAuthenticationFilter,userEnabledCheckFilter,anonymousProcessingFilter,basicAuthenticationAccessDenied,denyGoCDAccessForArtifactsFilter,sessionFixationProtectionFilter,filterInvocationInterceptor,flashLoader,urlRewriter
/api/**=modeAwareFilter,i18nlocaleResolver,httpSessionContextIntegrationFilter,apiSessionFilter,goLogoutFilter,removeAdminPermissionFilter,oauthProcessingFilter,basicProcessingFilter,authenticationProcessingFilter,reAuthenticationFilter,userEnabledCheckFilter,anonymousProcessingFilter,basicAuthenticationAccessDenied,cruiseLoginOrBasicAuthentication,denyGoCDAccessForArtifactsFilter,sessionFixationProtectionFilter,filterInvocationInterceptor,flashLoader,urlRewriter
Copy link
Member

@ketan ketan Apr 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was removing this intentional?

Copy link
Contributor Author

@varshavaradarajan varshavaradarajan Apr 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean? I added cruiseLoginOrBasicAuthentication to api/**, didn't remove anything.

@varshavaradarajan varshavaradarajan force-pushed the spas-redirect-to-login-page branch 2 times, most recently from f41df56 to 055bff4 Compare April 6, 2018 05:04
@varshavaradarajan varshavaradarajan changed the title [WIP] SPAs - redirect to login page if unauthorized. (#4554) SPAs - redirect to login page if unauthorized. (#4554) Apr 6, 2018
@yankurk
Copy link
Contributor

yankurk commented Apr 6, 2018

I tested the functionality locally. It works fine.

@varshavaradarajan
SPAs - redirect to login page if unauthorized. (gocd#4554)
eb15ae0 
* Set the status as 401 for an api request.
@varshavaradarajan varshavaradarajan force-pushed the spas-redirect-to-login-page branch from 055bff4 to eb15ae0 Compare April 6, 2018 05:45
@varshavaradarajan varshavaradarajan merged commit e901708 into gocd:master Apr 6, 2018
@varshavaradarajan varshavaradarajan mentioned this pull request Apr 26, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ketan ketan ketan left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 18.4

Development

Successfully merging this pull request may close these issues.

3 participants

@varshavaradarajan @ketan @yankurk