com.atlassian.seraph.config
Interface RedirectPolicy
- All Superinterfaces:
- Initable
- All Known Implementing Classes:
- DefaultRedirectPolicy
public interface RedirectPolicy
- extends Initable
This interface is included to allow fine-grained control over what URLs Seraph will allow you to redirect to.
Upon successful login, Seraph will redirect the user to a URL configured in the HTTP Session or as a request parameter.
In order to hinder potential phishing attacks, by default Seraph will only allow you to redirect to a URL in the same
context as the incoming request.
Applications can change this behaviour by configuring the default RedirectPolicy, or providing a custom one.
Note that applications can also take advantage of Seraph redirect checking for internal redirects.
To do so, they would get hold of the RedirectPolicy by calling SecurityConfig.getRedirectPolicy()
- Since:
- v0.38.3
|
Method Summary |
boolean |
allowedRedirectDestination(String redirectUrl,
javax.servlet.http.HttpServletRequest request)
Returns true if we are allowed to redirect to the given URL from the given HTTP request. |
| Methods inherited from interface com.atlassian.seraph.Initable |
init |
allowedRedirectDestination
boolean allowedRedirectDestination(String redirectUrl,
javax.servlet.http.HttpServletRequest request)
- Returns
true if we are allowed to redirect to the given URL from the given HTTP request.
This is intended to stop malicious users from constructing URL's that would log you in to JIRA, then redirect you some where else.
See http://jira.atlassian.com/browse/SER-128
- Parameters:
redirectUrl - The URL we are proposing to redirect to.request - The incoming HttpServletRequest.
- Returns:
true if we are allowed to redirect to the given URL from the given HTTP request.
Copyright © 2013 Atlassian. All Rights Reserved.