Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DefaultRedirectStrategy.sendRedirect with relative URL and ForwardedHeaderFilter add contextpath to URL twice [SPR-15088] #19654

Closed
spring-issuemaster opened this issue Jan 3, 2017 · 4 comments

Comments

@spring-issuemaster
Copy link
Collaborator

commented Jan 3, 2017

Stefan Pfeiffer opened SPR-15088 and commented

Following up to #19587 discussion, the example given in the Reference URL (after accepting my PR) demonstrates a problem with DefaultRedirectStrategy in conjunction with ForwardedHeaderFilter when DefaultRedirectStrategy.sendRedirect(request, response, url) gets a relative URL in the url parameter. Both add the context path to the URL. LoginUrlAuthenticationEntryPoint feeds an absolute path to DefaultRedirectStrategy.sendRedirect, so the example has to be faked to return a relative URL. I found the problem when using a SavedRequestAwareAuthenticationSuccessHandler, when the savedRequest is null, which then returns a default redirect target of / which ends up in DefaultRedirectStrategy.sendRedirect(…), triggering the double-context-path problem.

Nonetheless, DefaultRedirectStrategy.sendRedirect(…) should be able to handle relative URLs.

Setting DefaultRedirectStrategy.setContextRelative(true) should fix the problem, but i do not think that would be the right spot to prevent an interaction with the ForwardedHeaderFilter somewhere in the filter chain?


Affects: 4.3.5

Reference URL: https://github.com/rwinch/spring-security-sample/tree/SPR-15020

Referenced from: commits df98d30, 523370b

1 votes, 4 watchers

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 3, 2017

Thibaud Lepretre commented

I just figure out the exact same problem

After submitting wrong credentials on form:

Request URL:http://my.host.dev/uaa/login
Request Method:POST

Response Headers
Location:http://my.host.dev/uaa/uaa/login#error

with logs

2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.s.HttpSessionRequestCache        : DefaultSavedRequest added to Session: DefaultSavedRequest[http://my.host.dev/uaa/uaa/login]
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://my.host.dev/uaa/login'
@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 3, 2017

Rossen Stoyanchev commented

Rob Winch assigning to you since it also relates to Spring Security's DefaultRedirectStrategy.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 3, 2017

Rob Winch commented

The problem is that I interpreted the Javadoc incorrectly. Any request that starts with / should not add the context root to the redirect. In this example, the code

response.sendRedirect("/context/foo");

should not add the context root to the redirect URL.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 3, 2017

Rob Winch commented

Thanks for reporting this issue. This is now fixed in 4.3.6 and 5.0 RC1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.