com.atlassian.seraph.config

Interface RedirectPolicy

All Superinterfaces:

Initable

All Known Implementing Classes:

DefaultRedirectPolicy

public interface RedirectPolicy
extends Initable

This interface is included to allow fine-grained control over what URLs Seraph will allow you to redirect to.

Upon successful login, Seraph will redirect the user to a URL configured in the HTTP Session or as a request parameter. In order to hinder potential phishing attacks, by default Seraph will only allow you to redirect to a URL in the same context as the incoming request. Applications can change this behaviour by configuring the default RedirectPolicy, or providing a custom one.

Note that applications can also take advantage of Seraph redirect checking for internal redirects. To do so, they would get hold of the RedirectPolicy by calling SecurityConfig.getRedirectPolicy()

Since:

v0.38.3

Method Summary

Modifier and Type	Method and Description
boolean	allowedRedirectDestination(String redirectUrl, javax.servlet.http.HttpServletRequest request) Returns true if we are allowed to redirect to the given URL from the given HTTP request.

Methods inherited from interface com.atlassian.seraph.Initable

init

Method Detail

allowedRedirectDestination

boolean allowedRedirectDestination(String redirectUrl,
                                   javax.servlet.http.HttpServletRequest request)

Returns true if we are allowed to redirect to the given URL from the given HTTP request. This is intended to stop malicious users from constructing URL's that would log you in to JIRA, then redirect you some where else. See http://jira.atlassian.com/browse/SER-128

Parameters:

redirectUrl - The URL we are proposing to redirect to.

request - The incoming HttpServletRequest.

Returns:

true if we are allowed to redirect to the given URL from the given HTTP request.