Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DefaultRedirectStrategy.sendRedirect with relative URL and ForwardedHeaderFilter add contextpath to URL twice [SPR-15088] #19654

Closed
spring-projects-issues opened this issue Jan 3, 2017 · 4 comments
Assignees
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Jan 3, 2017

Stefan Pfeiffer opened SPR-15088 and commented

Following up to #19587 discussion, the example given in the Reference URL (after accepting my PR) demonstrates a problem with DefaultRedirectStrategy in conjunction with ForwardedHeaderFilter when DefaultRedirectStrategy.sendRedirect(request, response, url) gets a relative URL in the url parameter. Both add the context path to the URL. LoginUrlAuthenticationEntryPoint feeds an absolute path to DefaultRedirectStrategy.sendRedirect, so the example has to be faked to return a relative URL. I found the problem when using a SavedRequestAwareAuthenticationSuccessHandler, when the savedRequest is null, which then returns a default redirect target of / which ends up in DefaultRedirectStrategy.sendRedirect(…), triggering the double-context-path problem.

Nonetheless, DefaultRedirectStrategy.sendRedirect(…) should be able to handle relative URLs.

Setting DefaultRedirectStrategy.setContextRelative(true) should fix the problem, but i do not think that would be the right spot to prevent an interaction with the ForwardedHeaderFilter somewhere in the filter chain?


Affects: 4.3.5

Reference URL: https://github.com/rwinch/spring-security-sample/tree/SPR-15020

Referenced from: commits df98d30, 523370b

1 votes, 4 watchers

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 3, 2017

Thibaud Lepretre commented

I just figure out the exact same problem

After submitting wrong credentials on form:

Request URL:http://my.host.dev/uaa/login
Request Method:POST

Response Headers
Location:http://my.host.dev/uaa/uaa/login#error

with logs

2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.s.HttpSessionRequestCache        : DefaultSavedRequest added to Session: DefaultSavedRequest[http://my.host.dev/uaa/uaa/login]
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://my.host.dev/uaa/login'

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 3, 2017

Rossen Stoyanchev commented

Rob Winch assigning to you since it also relates to Spring Security's DefaultRedirectStrategy.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 3, 2017

Rob Winch commented

The problem is that I interpreted the Javadoc incorrectly. Any request that starts with / should not add the context root to the redirect. In this example, the code

response.sendRedirect("/context/foo");

should not add the context root to the redirect URL.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 3, 2017

Rob Winch commented

Thanks for reporting this issue. This is now fixed in 4.3.6 and 5.0 RC1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Development

No branches or pull requests

2 participants