Details
-
Bug
-
Resolution: Fixed
-
Not Evaluated
-
Qt Creator 13.0.0
-
None
-
c10b34c1e (13.0)
Description
Configured URL: http://localhost:26390/
Dashboard runs with http://localhost:26390/axivion/ but has redirects.
>: Client --> Server <: Server --> Client
Current communication flow:
> GET / HTTP/1.1 < HTTP/1.1 307 < Location: /axivion > GET /axivion HTTP/1.1 < HTTP/1.1 302 < Location: /axivion/ > GET /axivion/ HTTP/1.1 < HTTP/1.1 200 This response causes the client to switch to authenticated login. This can be a DashboardInfoDto (200) with a wrong user name or ErrorDto, UnauthenticatedException (401) > GET / HTTP/1.1 > Authorization: Basic *** < HTTP/1.1 307 > GET /axivion HTTP/1.1 > Authorization: Basic *** < HTTP/1.1 302 > GET /axivion/ HTTP/1.1 > Authorization: Basic *** < HTTP/1.1 200 Finally the stuff we want to get
The desired flow uses the URL of the last redirect of the unauthenticated DashboardInfoDto request directly for the authenticated login attempt:
> GET / HTTP/1.1 < HTTP/1.1 307 < Location: /axivion > GET /axivion HTTP/1.1 < HTTP/1.1 302 < Location: /axivion/ > GET /axivion/ HTTP/1.1 < HTTP/1.1 200 This response causes the client to switch to authenticated login. > GET /axivion/ HTTP/1.1 > Authorization: Basic *** < HTTP/1.1 200 Finally the stuff we want to get
This can become interesting if the redirection is to another server:
User configured https://old-server.example/axivion/
get's redirected to https://new-server.example/axivion/
With the current behavior, the old-server.example gets the password. With the proposed behavior, old-server.example doesn't get any request with Authorization.
Attachments
| For Gerrit Dashboard: QTCREATORBUG-30536 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 549241,1 | Axivion: Limit redirects | 13.0 | qt-creator/qt-creator | Status: ABANDONED | 0 | 0 |
| 549274,6 | Axivion: Reuse the redirected url for further usage | 13.0 | qt-creator/qt-creator | Status: MERGED | +2 | 0 |