Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Make multiple slashes equivalent to a single one in urls #200

Closed
bogbert opened this issue Mar 17, 2017 · 2 comments
Closed

Make multiple slashes equivalent to a single one in urls #200

bogbert opened this issue Mar 17, 2017 · 2 comments
Assignees
@gambol99

Comments

@bogbert
Copy link

bogbert commented Mar 17, 2017

Hi,
I'm running keycloak-proxy 2.0.3 behind an nginx reverse proxy.
nginx is configured to redirect the location /app/soap to keycloak-proxy
The keycloak-proxy yml configuration file declares a single resource:

resources:
- uri: /app/soap
  roles:
  - app:access_webservices

I noticed that if a user tries to access the url //app/soap or /app//soap, then nginx redirects it to keycloak-proxy, but keycloak-proxy considers that it doesn't match /app/soap, and authentication is completely skipped !
Just like nginx, I would like keycloak-proxy to consider multiple slashes in urls to be equivalent to a single one.

For now, as a workaround, I declared a resource that denies access to all non-matching urls:

- uri: /
  roles:
  - deny_role

where deny_role is a fake role that is not assigned to anyone.
Would there be a more elegant way to deny access by default to non-matching urls ?
@gambol99 gambol99 added the bug label Mar 17, 2017
@gambol99
Copy link
Contributor

That's not good at all!! ... There doesn't appear to be an easy way to get rid of this either as the HTTP router doesn't provide any options to massage the urls in gin or pure http router. Perhaps introducing middleware to filter urls is the easier.

// filterMiddleware is custom filtering for incoming requests
func (r *oauthProxy) filterMiddleware() gin.HandlerFunc {
	return func(cx *gin.Context) {
		var p rune
		var b bytes.Buffer
		for _, c := range cx.Request.URL.Path {
			if c == '/' && p == '/' {
				continue
			}
			p = c
			b.WriteRune(c)
		}
		cx.Request.URL.Path = b.String()
	}
}

https://play.golang.org/p/qWpT4HZ_FD

@gambol99 gambol99 self-assigned this Mar 17, 2017
gambol99 added a commit that referenced this issue Mar 17, 2017
@gambol99
#### **2.0.4**
d11c37f 
FIXES:
 * Fixes a bug in authentication, which permitted double slashed url entry [#PR200](#200)

FEATURES:
 * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](#193)
@gambol99 gambol99 mentioned this issue Mar 17, 2017
Merged
gambol99 added a commit that referenced this issue Mar 17, 2017
@gambol99
FIXES:
efe1cb6 
 * Fixes a bug in authentication, which permitted double slashed url entry [#PR200](#200)

FEATURES:
 * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](#193)
gambol99 added a commit that referenced this issue Mar 17, 2017
@gambol99
FIXES:
73eb2c2 
 * Fixes a bug in authentication, which permitted double slashed url entry [#PR200](#200)

FEATURES:
 * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](#193)
gambol99 added a commit that referenced this issue Mar 17, 2017
@gambol99
FIXES:
97fd942 
 * Fixes a bug in authentication, which permitted double slashed url entry [#PR200](#200)

FEATURES:
 * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](#193)
gambol99 added a commit that referenced this issue Mar 17, 2017
@gambol99
FIXES: (#201)
a67c80a 
* Fixes a bug in authentication, which permitted double slashed url entry [#PR200](#200)

FEATURES:
 * Grabbing the revocation-url from the idp config if user override is not specified [#PR193](#193)
@gambol99
Copy link
Contributor

fixed in #201

@gambol99 gambol99 mentioned this issue Mar 19, 2017
Merged
This was referenced Apr 24, 2020
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gambol99 gambol99

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gambol99 @bogbert