379909 FormAuthenticator Rembers only the URL of first Request before authentication

5 files changed, 46 insertions, 3 deletions

diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index c21768fde1..dcd91498f3 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -77,6 +77,7 @@ public class FormAuthenticator extends LoginAuthenticator
     private String _formLoginPage;
     private String _formLoginPath;
     private boolean _dispatch;
+    private boolean _alwaysSaveUri;
 
     public FormAuthenticator()
     {
@@ -95,6 +96,26 @@ public class FormAuthenticator extends LoginAuthenticator
     
     /* ------------------------------------------------------------ */
     /**
+     * If true, uris that cause a redirect to a login page will always
+     * be remembered. If false, only the first uri that leads to a login
+     * page redirect is remembered.
+     * See https://bugs.eclipse.org/bugs/show_bug.cgi?id=379909
+     * @param alwaysSave
+     */
+    public void setAlwaysSaveUri (boolean alwaysSave)
+    {
+        _alwaysSaveUri = alwaysSave;
+    }
+    
+    
+    /* ------------------------------------------------------------ */
+    public boolean getAlwaysSaveUri ()
+    {
+        return _alwaysSaveUri;
+    }
+    
+    /* ------------------------------------------------------------ */
+    /**
      * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration)
      */
     @Override
@@ -279,9 +300,9 @@ public class FormAuthenticator extends LoginAuthenticator
             // remember the current URI
             synchronized (session)
             {
-                // But only if it is not set already
-                if (session.getAttribute(__J_URI)==null)
-                {
+                // But only if it is not set already, or we save every uri that leads to a login form redirect
+                if (session.getAttribute(__J_URI)==null || _alwaysSaveUri)
+                {  
                     StringBuffer buf = request.getRequestURL();
                     if (request.getQueryString() != null)
                         buf.append("?").append(request.getQueryString());
diff --git a/test-jetty-webapp/src/main/config/contexts/test.xml b/test-jetty-webapp/src/main/config/contexts/test.xml
index 3c36173b13..32e5b40584 100644
--- a/test-jetty-webapp/src/main/config/contexts/test.xml
+++ b/test-jetty-webapp/src/main/config/contexts/test.xml
@@ -61,6 +61,11 @@ detected.
             -->
       </New>
     </Set>
+    <Set name="authenticator">
+      <New class="org.eclipse.jetty.security.authentication.FormAuthenticator">
+        <Set name="alwaysSaveUri">true</Set>
+      </New>
+    </Set>
     <Set name="checkWelcomeFiles">true</Set>
   </Get>
   
diff --git a/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml b/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
index 0c633bd765..f995d0162d 100644
--- a/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+++ b/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
@@ -268,6 +268,16 @@
 
   <security-constraint>
     <web-resource-collection>
+      <web-resource-name>Auth2</web-resource-name>
+      <url-pattern>/auth2/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>*</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
       <web-resource-name>Any User</web-resource-name>
       <url-pattern>/dump/auth/*</url-pattern>
       <url-pattern>*.htm</url-pattern>
diff --git a/test-jetty-webapp/src/main/webapp/auth.html b/test-jetty-webapp/src/main/webapp/auth.html
index 1f64b2bc67..1b1de1157c 100644
--- a/test-jetty-webapp/src/main/webapp/auth.html
+++ b/test-jetty-webapp/src/main/webapp/auth.html
@@ -12,6 +12,7 @@ This page contains several links to test the authentication constraints:
 <ul>
 <li><a href="auth/file.txt">auth/file.txt</a> - Forbidden</li>
 <li><a href="auth/relax.txt">auth/relax.txt</a> - Allowed</li>
+<li><a href="auth2">auth2/index.html</a> - Authenticated (tests FormAuthenticator.setAlwaysSaveUri()) </li>
 <li><a href="dump/auth/noaccess/info">dump/auth/noaccess/*</a> - Forbidden</li>
 <li><a href="dump/auth/relax/info">dump/auth/relax/*</a> - Allowed</li>
 <li><a href="dump/auth/info">dump/auth/*</a> - Authenticated any user</li>
diff --git a/test-jetty-webapp/src/main/webapp/auth2/index.html b/test-jetty-webapp/src/main/webapp/auth2/index.html
new file mode 100644
index 0000000000..f46164c410
--- /dev/null
+++ b/test-jetty-webapp/src/main/webapp/auth2/index.html
@@ -0,0 +1,6 @@
+<html>
+  <body>
+    <h1>YAY!</h1>
+    <p>You have successfully authenticated. You can use this url in conjunction with any of the other urls that lead to a login form to test which urls are saved on entry to the login form.</p>
+  </body>
+</html>