[Security] - Logged out user is logged back in when accessing application pages

Description

Unauthenticated user is logged back in when navigation to certain pages is performed.

In the same browser session:
1. Login
2. Logout
User is redirected to login page: http://<hostname>/activiti-app/#/login
3. Go to http://<hostname>/activiti-app/workflow/#/tasks
Expected result: User remains on Login page, since user is logged out and no credentials have been provided.
Actual result: User is redirected to /workflow/#/tasks page.

Additional notes:
1. The redirect URL is incorrectly computed:
Expected: http://<hostname>/activiti-app/#/login?redirectUrl=%2Factiviti-app%2Fworkflow%2F%23%2Ftasks
Actual: http://<hostname>/activiti-app/#/login?redirectUrl=http:%2F%2F<hostname>%2Factiviti-app%2Fworkflow%2F%23%2Ftasks
The protocol and the hostname (with the port, if available) should be removed from the redirectUrl param value.

2. When redirectUrl param has an arbitrary address, the url should be modified after login.
2.1. Go to <hostname>/activiti-app/#/login?redirectUrl=www.google.com
2.2. Login
Expected: User is redirected to: http://<hostname>/activiti-app/#
Actual: User is redirected to: http://<localhost>/activiti-app/#/?redirectUrl=www.google.com
redirectUrl param with its value should be removed from the url.

Environment

None

Status

Assignee

Bassam Al-Sarori

Reporter

Roxana Diacenco

Labels

Components

Affects versions

6.0

Priority

Major
Configure