Merge pull request #415 from georchestra/bug/gateway-login-redirect

Use a GatewayFilter to redirect to the login page when given a login query parameter
georchestra · Jul 26, 2024 · e035a22 · e035a22
2 parents 368abe8 + 5ba6510
commit e035a22
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/gateway/application.yaml b/gateway/application.yaml
@@ -22,6 +22,7 @@ spring:
         # AddSecHeaders appends sec-* headers to proxied requests based on the currently authenticated user
         - AddSecHeaders
         - PreserveHostHeader
+        - LoginParamRedirect #redirects all request with a ?login query param to /login
       filter:
         secure-headers:
-          referrer-policy: strict-origin
+          referrer-policy: strict-origin
diff --git a/gateway/security.yaml b/gateway/security.yaml
@@ -1,6 +1,14 @@
 georchestra:
   gateway:
     security:
+      header-authentication:
+        # If enabled, pre-authentication is enabled and can be performed by passing
+        # true to the sec-georchestra-preauthenticated request header, and user details
+        # through the following request headers: preauth-username, preauth-firstname,
+        # preauth-lastname, preauth-org, preauth-email, preauth-roles.
+        # In such case, it is crucial for the reverse proxy in front of the gateway to
+        # sanitize the mentioned request headers to prevent external impersonation.
+        enabled: false
       createNonExistingUsersInLDAP: true
       enableRabbitmqEvents: true
       oauth2: