Cleanup of relative redirect handling #11014

+ Handle request relative redirects + Moved to Response + Changed default to allow relative
jetty · Dec 4, 2023 · 9dea2e0 · 9dea2e0
1 parent 087191d
commit 9dea2e0
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 16 deletions.
diff --git a/...y-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/...y-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -277,7 +277,9 @@ public AuthenticationState validateRequest(Request request, Response response, C
                 // Redirect to original request
                 Session session = request.getSession(false);
                 HttpURI savedURI = (HttpURI)session.getAttribute(__J_URI);
-                String originalURI = savedURI != null ? savedURI.asString() : Request.getContextPath(request);
+                String originalURI = savedURI != null
+                    ? savedURI.getPathQuery()
+                    : Request.getContextPath(request);
                 if (originalURI == null)
                     originalURI = "/";
                 UserAuthenticationSent formAuth = new UserAuthenticationSent(getAuthenticationType(), user);

diff --git a/...y-core/jetty-security/src/test/java/org/eclipse/jetty/security/FormAuthenticatorTest.java b/...y-core/jetty-security/src/test/java/org/eclipse/jetty/security/FormAuthenticatorTest.java
@@ -129,17 +129,17 @@ public void testLoginRedirect() throws Exception
 
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
 
         response = _connector.getResponse("GET /ctx/known/user HTTP/1.0\r\nHost:host:8888\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
 
         response = _connector.getResponse("GET /ctx/admin/user HTTP/1.0\r\nHost:host:8888\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
     }
 
@@ -167,7 +167,7 @@ public void testUseExistingSession() throws Exception
 
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, not(containsString("Set-Cookie: JSESSIONID=")));
     }
 
@@ -182,13 +182,13 @@ public void testError() throws Exception
         String sessionId = "unknown";
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         sessionId = sessionId(response);
 
         response = _connector.getResponse("GET /ctx/j_security_check?j_username=user&j_password=wrong HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/error"));
+        assertThat(response, containsString("Location: /ctx/error"));
         assertThat(response, not(containsString("Set-Cookie: JSESSIONID=")));
 
         response = _connector.getResponse("""
@@ -201,7 +201,7 @@ public void testError() throws Exception
             j_username=user&j_password=wrong
             """);
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/error"));
+        assertThat(response, containsString("Location: /ctx/error"));
         assertThat(response, not(containsString("Set-Cookie: JSESSIONID=")));
     }
 
@@ -216,13 +216,13 @@ public void testLoginQuery() throws Exception
         String sessionId = "unknown";
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         sessionId = sessionId(response);
 
         response = _connector.getResponse("GET /ctx/j_security_check?j_username=user&j_password=password HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/any/user"));
+        assertThat(response, containsString("Location: /ctx/any/user"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         String unsafeSessionId = sessionId;
         sessionId = sessionId(response);
@@ -240,7 +240,7 @@ public void testLoginQuery() throws Exception
 
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + unsafeSessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
     }
 
@@ -255,7 +255,7 @@ public void testLoginForm() throws Exception
         String sessionId = "unknown";
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         sessionId = sessionId(response);
 
@@ -269,7 +269,7 @@ public void testLoginForm() throws Exception
             j_username=user&j_password=password
             """.formatted(sessionId));
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/any/user"));
+        assertThat(response, containsString("Location: /ctx/any/user"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         String unsafeSessionId = sessionId;
         sessionId = sessionId(response);
@@ -287,7 +287,7 @@ public void testLoginForm() throws Exception
 
         response = _connector.getResponse("GET /ctx/any/user HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + unsafeSessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
     }
 
@@ -311,13 +311,13 @@ public void testRedirectToPost() throws Exception
             name1=value1&name2=value2\r
             """.formatted(sessionId));
         assertThat(response, containsString("HTTP/1.1 303 See Other"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/login"));
+        assertThat(response, containsString("Location: /ctx/login"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         sessionId = sessionId(response);
 
         response = _connector.getResponse("GET /ctx/j_security_check?j_username=user&j_password=password HTTP/1.0\r\nHost:host:8888\r\nCookie: JSESSIONID=" + sessionId + "\r\n\r\n");
         assertThat(response, containsString("HTTP/1.1 302 Found"));
-        assertThat(response, containsString("Location: http://host:8888/ctx/any/user?action=form"));
+        assertThat(response, containsString("Location: /ctx/any/user?action=form"));
         assertThat(response, containsString("Set-Cookie: JSESSIONID="));
         String unsafeSessionId = sessionId;
         sessionId = sessionId(response);