PAS always redirecting to favicon.ico after login

Posted by MTBOO on 04-Oct-2016 06:57

Hi,

I am using PAS on OE 11.6 (SP2) for testing a REST application (installed as ROOT webapp) and have setup security using oeableSecurity-form-oerealm. Whenever I login successfully the application is always redirecting me to favicon.ico (in root folder) and not index.html.

Auth model config is as follows:

<!-- authentication model -->
        <form-login login-page="/static/auth/login.jsp"
                    login-processing-url="/static/auth/j_spring_security_check"
                    always-use-default-target="true"
                    default-target-url="/index.html"
                    authentication-failure-url="/static/auth/loginfail.html"
                    authentication-success-handler-ref="OEAuthnSuccessHandler"
                    authentication-failure-handler-ref="OEAuthnFailureHandler"  />

        <logout logout-url="/static/auth/j_spring_security_logout"
                success-handler-ref="OELogoutSuccessHandler"
                invalidate-session="true"
                delete-cookies="JSESSIONID" />

I can then change the URL to access the index.html which allows me to continue.

Regards

Posted by Matt Baker on 04-Oct-2016 07:40

Possible explanation which I've run into.  Not specifically with PAS, but this is probably the same issue.

This is due to a combination of things.

1. when the browser first your website it sends the first HTTP request to get favicon.ico, not the actual page you requested

2. an HTTP session is created and the first requested object is stored with the session.

3. you get a redirect to login

4. the login completes and you get redirected back to the first requested object.  In this case it is the favicon.ico.

The fix for this is to ensure that your favicon.ico is not protected by security and is ignored for session management

There's lots of stuff there on google about this.

stack overflow suggests a fix to add an exception

<http pattern="/favicon.ico" security="none" />

https://stackoverflow.com/questions/11242609/default-spring-security-redirect-to-favicon

All Replies

Posted by Matt Baker on 04-Oct-2016 07:40

Possible explanation which I've run into.  Not specifically with PAS, but this is probably the same issue.

This is due to a combination of things.

1. when the browser first your website it sends the first HTTP request to get favicon.ico, not the actual page you requested

2. an HTTP session is created and the first requested object is stored with the session.

3. you get a redirect to login

4. the login completes and you get redirected back to the first requested object.  In this case it is the favicon.ico.

The fix for this is to ensure that your favicon.ico is not protected by security and is ignored for session management

There's lots of stuff there on google about this.

stack overflow suggests a fix to add an exception

<http pattern="/favicon.ico" security="none" />

https://stackoverflow.com/questions/11242609/default-spring-security-redirect-to-favicon
Posted by MTBOO on 04-Oct-2016 09:14

Thanks that sorted it (ensuring favicon.ico is not a secured resource). On another point, on authentication failure the url in authentication-failure-url is not being used. I get a PASS 401 error page:

An error occurred while executing your request!

401 - Unauthorized: authentication failed due to bad credentials - POST /static/auth/j_spring_security_check

Regards

Posted by Peter Judge on 12-Oct-2016 12:48
Related to this -  https://robinlinus.github.io/socialmedia-leak/ . Details how the favicon can be used to detect whether you’re logged in or not (on social media to be sure).
This thread is closed