Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-141963

Random redirections to /workflow.js.map when signing in with OIDC

    Details

    • Fix Priority:
      4
    • Sprint:
      S05E01 - Dark Souls

      Description

      When a user opens the Chrome Dev Tools with F12 for example, those tools are going to make some background requests to *.js.map files.

      Hints to their locations are given in the minified js files typically served by /combo/* resources.

      One important thing to know is that those requests will not appear in the network tab of the Chrome dev tools. However, if you use a proxy like Burp Suite, you will see them happening.

      What I've discovered is that there are some minified js files for which the browser is going to make a request to the root path of the portal. For example, a request to https://some.portal.url/workflow.js.map

      This background call responds with a 404 but has a side effect changing the behaviour of https://some.portal.url/c

      If you hit https://some.portal.url/c after a request to https://some.portal.url/workflow.js.map has been issued, then https://some.portal.url/c will redirect to https://some.portal.url/workflow.js.map

      What I suspect is that we go through some main servlet or filter logic that overrides the LAST_PATH attribute of the session.

      And the problem we have with OIDC SSO is that the whole redirection dance with the OpenID Provider relies on saving to that LAST_PATH attribute the place we'd like to go back to once we're signed in and that failing https://some.portal.url/workflow.js.map is breaking it.

      For the moment, I asked a customer who's come across this issue to have a WAF or frontend web server drop those requests so that they do not reach tomcat.

       

       Step to reproduce:

      1. Access to http://localhost:8080 on Chrome
      2. Open the DevTools
      3. Sign In

       Expected Results:
      It should redirects to the Home page.

       Actual Results:
      The Not Found is shown. The following browser error is thrown

      RELATED CONVERSATION (with possible cause): https://liferay.slack.com/archives/CNBG06JS3/p1635851694076000

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              fabian.bouche Fabian Bouché
              Participants of an Issue:
              Recent user:
              Bruno Fernández
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Days since last comment:
                11 weeks, 6 days ago

                  Packages

                  Version Package