-
Notifications
You must be signed in to change notification settings - Fork 37.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RedirectView should allow for bypassing HttpServletResponse#encodeRedirectURL [SPR-13693] #18268
Comments
Rossen Stoyanchev commented I don't think it would be so simple. Redirecting to an absolute URL does not necessarily mean a foreign system. We'd have to compare the actual host and that may vary based on forwarded requests, x-forwarded headers from proxies, etc. Furthermore frameworks may also wrap the response and apply their own encoding logic. Can you be more specific, which platform/container and under what circumstances it adds undesired "jsessionid"? From the Javadoc of encodRedirectURL:
|
Marvin S. Addison commented My use case is Spring WebFlow where I'm using externalRedirect:#{absoluteURL}, and I think my assertion that the intent to redirect to a foreign system in that case is sound. In that case it's I'm running my servlet on Jetty, which actually has logic in the Response object to try to detect whether the redirect is to a remote host:
Interestingly, the There absolutely is a case for sending a redirect to a remote system that does not understand jsessionid path parameters; programmers ought to be able to suppress that behavior on a case-by-case basis. That's to say that I agree with you that trying to infer meaning is problematic; it would be better to expose additional configuration to let the author decide. |
Rossen Stoyanchev commented Okay thanks for the extra detail. What exactly do you think we should do? We cannot assume by default that redirecting to a full URL means we can skip encodeRedirectURL. An application may be providing full URLs even when redirecting within the same application. It would also not be easy to determine if the complete URL is to the same application or not. Last but not least, it is not only the Servlet container that may want to encode the URL. Frameworks and applications too may wrap the response and implement encodeRedirectURL. I'm just having a hard time seeing what specifically we can do. |
Scott Cantor commented Notwithstanding that it's a hard problem, I'd like to note that it's essentially a security bug to attach a session ID to the URL of a foreign system. So fundamentally the whole scheme being imposed on us by the containers is flawed, but it is what it is. There are definitely application scenarios in which it's very simply to enumerate the "local" vhost prefixes. If that could be configured via a property to control the Spring layer's determination about whether to call that method, would that fly? |
Rossen Stoyanchev commented BTW does the use case involve cookies being turned off? Just trying to understand the scope of the issue. There are many instances where this is used by 3rd party libraries which decorate the response in order to hook in. They may be doing things for which the assumptions about what should and shouldn't be encoded may vary. In that same line of thought you have a similar option to wrap the response and intercept all calls to encodeRedirectURL. Generally speaking I hesitate to generally turn off the call to encodeRedirectURL at the framework level. |
Marvin S. Addison commented +1 for Scott Cantor's proposal. I believe the following Spring components should respect the proposed flag:
|
Marvin S. Addison commented The original use case where I first saw the problem was one where cookies were disabled, yes. We just identified a new case today where a rewrite rule is causing the cookie to not be returned to the server due to path mismatches. That's arguably a configuration problem, but a different root cause. We not suggesting to disable encodeRedirectURL globally, but selectively according to some configuration parameter that specifies the "local" host names. If the parameter is defined, encoding is performed only for those URLs whose host matches a value in that list; otherwise not. If the configuration parameter is not defined, behavior is as it is today. |
Scott Cantor commented No, it's happening in the case Marvin and I are seeing because of some rewrites the deployer is doing that are fooling the container into thinking it needs to re-encode the ID on the URL. Your point is well-taken though, if encodeRedirectURL is a filterable method on HttpServletResponse, that would be another way. I wasn't, obviously, suggesting you would default this off in Spring or SWF, just that putting the logic the filter/wrapper would have to perform into a property-driven feature would obviously make that available to more people with less duplication. Absent a property value to whitelist anything, Spring would keep doing what it does now I think. |
Juergen Hoeller commented Elaborating on Rossen's point: As Rossen hinted at, this can also be used for workarounds for the time being: A custom Juergen |
Rossen Stoyanchev commented Let me know if this fix works for you. |
Scott Cantor commented Yes, I see where we'd wire that in easily. Thank you. |
Marvin S. Addison commented Looks straightforward for the MVC case. How would one leverage that via "externalRedirect" SpEL? |
Rossen Stoyanchev commented I think we'd have to add that separately in Web Flow. If you could please open one jira.springsource.org/browse/SWF. |
Scott Cantor commented SWF relies on the MVC view resolvers, so I thought it would end up in the same code. Maybe they don't process the redirects SWF is doing? |
Rossen Stoyanchev commented These are all Web Flow constructs. Spring MVC has no idea what "externalRedirect:" is. |
Marvin S. Addison opened SPR-13693 and commented
RedirectView presently calls
HttpServletResponse#.encodeRedirectURL(targetUrl)
unconditionally, which has the effect of appending ";jsessionid" path fragments to the redirect URL unexpectedly in some cases. While that is fine for (context) relative URLs, for absolute URLs the programmer typically intends to redirect to a foreign system that is not likely to understand the decorated URL. I believe it's most correct to add some conditional logic to detect an absolute URL and avoid the call toencodeRedirectURL
in that case.One could argue that the servlet container ought to provide this kind of conditional logic; however, it's been my observation that not all platforms do the right thing.
Affects: 4.2.2
Referenced from: commits c45ad30
1 votes, 6 watchers
The text was updated successfully, but these errors were encountered: