Login: don't store path for unload requests

When a site is requested but the user not logged in yet,
the requested url is stored and the user will be redirected
to that site after a successful login.
When the users leaves or reloads the page, an unload request is sent.
When he reloads the page while the http session is disposed,
the unload request will be stored and the user redirected to the unload
path after the login, which obviously does not work.

-> Don't store paths for requests that cannot be redirected. We could
explicitly check for unload requests, but a more general logic to detect
such requests already exists. Since the unload request is a POST request
that logic will work fine.

https://www.eclipse.org/forums/index.php/t/1107743/

293660

Change-Id: I8f57a52a691edefa17107182cfe3150018af43ef
Reviewed-on: https://git.eclipse.org/r/c/scout/org.eclipse.scout.rt/+/179828
Tested-by: Scout Bot <scout-bot@eclipse.org>
Reviewed-by: Beat Schwarzentrub <bsh@bsiag.com>

1 files changed, 28 insertions, 18 deletions

diff --git a/org.eclipse.scout.rt.server.commons/src/main/java/org/eclipse/scout/rt/server/commons/authentication/ServletFilterHelper.java b/org.eclipse.scout.rt.server.commons/src/main/java/org/eclipse/scout/rt/server/commons/authentication/ServletFilterHelper.java
index ee42de2bb1..a5b67b8698 100644
--- a/org.eclipse.scout.rt.server.commons/src/main/java/org/eclipse/scout/rt/server/commons/authentication/ServletFilterHelper.java
+++ b/org.eclipse.scout.rt.server.commons/src/main/java/org/eclipse/scout/rt/server/commons/authentication/ServletFilterHelper.java
@@ -235,11 +235,12 @@ public class ServletFilterHelper {
   }
 
   /**
-   * forward the request to the login.html
-   * <p>
-   * Detects if the request is a POST. For json send a timeout message, otherwise log a warning
+   * Forwards the request to the login.html. In case forwarding would not work, the request will be redirected, see {@link #redirectToLoginFormIfNecessary(HttpServletRequest, HttpServletResponse)}.
    */
   public void forwardToLoginForm(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+    if (!acceptForwardOrRedirect(req, resp, req.getPathInfo(), true)) {
+      return;
+    }
     if (redirectToLoginFormIfNecessary(req, resp)) {
       return;
     }
@@ -288,9 +289,7 @@ public class ServletFilterHelper {
   }
 
   /**
-   * Forwards the request to the logout.html
-   * <p>
-   * Detects if the request is a POST. For json send a timeout message, otherwise log a warning
+   * Forwards the request to the logout.html.
    */
   public void forwardToLogoutForm(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
     forwardTo(req, resp, "/logout.html");
@@ -319,18 +318,7 @@ public class ServletFilterHelper {
    * (forbidden) returned.
    */
   protected void forwardOrRedirectTo(HttpServletRequest req, HttpServletResponse resp, String targetLocation, boolean redirect) throws IOException, ServletException {
-    String acceptedMimeTypes = req.getHeader("Accept");
-    if (StringUtility.containsString(acceptedMimeTypes, "application/json")) {
-      // Since the client expects JSON as response don't forward to the login page, instead send a json based timeout error
-      LOG.debug("Returning session timeout error as json for path {}, based on Accept header {}.", req.getPathInfo(), acceptedMimeTypes);
-      sendJsonSessionTimeout(resp);
-      return;
-    }
-    if ("POST".equals(req.getMethod())) {
-      if (LOG.isDebugEnabled()) {
-        LOG.debug("The request for '{}' is a POST request. " + (redirect ? "Redirecting" : "Forwarding") + " to '{}' will most likely fail. Sending HTTP status '403 Forbidden' instead.", req.getPathInfo(), targetLocation);
-      }
-      resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+    if (!acceptForwardOrRedirect(req, resp, targetLocation, redirect)) {
       return;
     }
 
@@ -345,6 +333,28 @@ public class ServletFilterHelper {
     }
   }
 
+  /**
+   * Doesn't accept POST requests or requests with an Accept header containing application/json. For such json requests
+   * a timeout message is returned.
+   */
+  protected boolean acceptForwardOrRedirect(HttpServletRequest req, HttpServletResponse resp, String targetLocation, boolean redirect) throws IOException {
+    String acceptedMimeTypes = req.getHeader("Accept");
+    if (StringUtility.containsString(acceptedMimeTypes, "application/json")) {
+      // Since the client expects JSON as response don't forward to the login page, instead send a json based timeout error
+      LOG.debug("Returning session timeout error as json for path {}, based on Accept header {}.", req.getPathInfo(), acceptedMimeTypes);
+      sendJsonSessionTimeout(resp);
+      return false;
+    }
+    if ("POST".equals(req.getMethod())) {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("The request for '{}' is a POST request. " + (redirect ? "Redirecting" : "Forwarding") + " to '{}' will most likely fail. Sending HTTP status '403 Forbidden' instead.", req.getPathInfo(), targetLocation);
+      }
+      resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+      return false;
+    }
+    return true;
+  }
+
   protected void sendJsonSessionTimeout(HttpServletResponse resp) throws IOException {
     resp.setContentType("application/json");
     resp.setCharacterEncoding(StandardCharsets.UTF_8.name());