1. Proposed title of this feature request PicketLink should be able to ignore ajax requests 2. Who is the customer behind the request? Account name: SMABTP Customer segment: TAM/SRM customer: no / yes Strategic Customer yes/no: yes 3. What is the nature and description of the request? Many application use ajax calls from the browser. When the session has timed out, picketlink will cause a redirect to the login-server. There are two issues here: the redirect is potentially cross-domain the ajax client receives the login page as response for which it is not coded 4. Why does the customer need this? (List the business requirements here) programming ajax calls that need to go cross-platform is not trivial. 5. How would the customer like to achieve this? (List the functional requirements here) The request is to have a configuration switch that detects ajax calls. When such a call would arrive when there is not valid session, the server should not redirect but should send a standard 403 6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. 7. Is there already an existing RFE upstream or in Red Hat bugzilla? no 8. Does the customer have any specific timeline dependencies? no 9. Is the sales team involved in this request and do they have any additional input? no 10. List any affected packages or components. 11. Would the customer be able to assist in testing this functionality if implemented? yes
Pedro Igor <pigor.craveiro> updated the status of jira EAP6-226 to Resolved
Fixed in upstream. See https://issues.jboss.org/browse/EAP6-226 and https://issues.jboss.org/browse/PLINK-273.
Pedro Igor <pigor.craveiro> updated the status of jira EAP6-226 to Reopened
Backported from upstream. Commit: https://code.engineering.redhat.com/gerrit/#/c/35784/
Can we get ACK on this issue, please?
In order to properly handle AJAX requests, the IdP is now checking the existence of the X-Requested-With header. Usually this header is sent from AJAX libraries such as JQuery. If the request contains this header with value XMLHttpRequest, the IdP will respond with a 403 instead of the login page.
Verified for JBoss EAP 6.4.0.DR11
John Doyle <jdoyle> updated the status of jira EAP6-226 to Closed
I think the original intentation was to make this configurable. Is that the case? Can I disable this new behaviour? We use an AJAX request to detect if the unauthenticated user is inside our network or not. Based on that we handle authentication differently. That doesn't work anymore with this change.