Martin Peřina has submitted this change and it was merged. Change subject: aaa: Request state does not match session state after successful login ...................................................................... aaa: Request state does not match session state after successful login Fix the usability issues with mismatched session state when the login screen session has expired. The client id and client secret with the redirect uri check should be sufficient security check, session "state" which is a random string and was passed between sso and engine as an additional level of security can be dropped with out any security threats. Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601 Bug-Url: https://bugzilla.redhat.com/1367921 Signed-off-by: Ravi Nori <rnori@redhat.com> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoLoginServlet.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthAuthorizeServlet.java M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoConstants.java M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoSession.java M backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/utils/SsoUtils.java M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/LoginServlet.java M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/OAuthCallbackServlet.java M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeServlet.java M backend/manager/modules/welcome/src/main/java/org/ovirt/engine/core/WelcomeUtils.java 11 files changed, 8 insertions(+), 59 deletions(-) Approvals: Martin Peřina: Looks good to me, approved Ravi Nori: Verified Jenkins CI: Passed CI tests -- To view, visit https://gerrit.ovirt.org/62470 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9874c007e2d3382bbcdc8a280302306e2e6dc601 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rnori@redhat.com> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Martin Peřina <mperina@redhat.com> Gerrit-Reviewer: Ravi Nori <rnori@redhat.com> Gerrit-Reviewer: gerrit-hooks <automation@ovirt.org>