DefaultRedirectStrategy.sendRedirect with relative URL and ForwardedHeaderFilter add contextpath to URL twice [SPR-15088]

[spring-projects-issues]

Stefan Pfeiffer opened SPR-15088 and commented

Following up to #19587 discussion, the example given in the Reference URL (after accepting my PR) demonstrates a problem with DefaultRedirectStrategy in conjunction with ForwardedHeaderFilter when DefaultRedirectStrategy.sendRedirect(request, response, url) gets a relative URL in the url parameter. Both add the context path to the URL. LoginUrlAuthenticationEntryPoint feeds an absolute path to DefaultRedirectStrategy.sendRedirect, so the example has to be faked to return a relative URL. I found the problem when using a SavedRequestAwareAuthenticationSuccessHandler, when the savedRequest is null, which then returns a default redirect target of / which ends up in DefaultRedirectStrategy.sendRedirect(…), triggering the double-context-path problem.

Nonetheless, DefaultRedirectStrategy.sendRedirect(…) should be able to handle relative URLs.

Setting DefaultRedirectStrategy.setContextRelative(true) should fix the problem, but i do not think that would be the right spot to prevent an interaction with the ForwardedHeaderFilter somewhere in the filter chain?

---

Affects: 4.3.5

Reference URL: https://github.com/rwinch/spring-security-sample/tree/SPR-15020

Referenced from: commits df98d30, 523370b

1 votes, 4 watchers

[spring-projects-issues]

Thibaud Lepretre commented

I just figure out the exact same problem

After submitting wrong credentials on form:

Request URL:http://my.host.dev/uaa/login
Request Method:POST

Response Headers
Location:http://my.host.dev/uaa/uaa/login#error

with logs

2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.s.HttpSessionRequestCache        : DefaultSavedRequest added to Session: DefaultSavedRequest[http://my.host.dev/uaa/uaa/login]
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2017-01-03 16:02:35.928 DEBUG 67865 --- [nio-8769-exec-4] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'http://my.host.dev/uaa/login'

[spring-projects-issues]

Rossen Stoyanchev commented

Rob Winch assigning to you since it also relates to Spring Security's DefaultRedirectStrategy.

[spring-projects-issues]

Rob Winch commented

The problem is that I interpreted the Javadoc incorrectly. Any request that starts with / should not add the context root to the redirect. In this example, the code

response.sendRedirect("/context/foo");

should not add the context root to the redirect URL.

[spring-projects-issues]

Rob Winch commented

Thanks for reporting this issue. This is now fixed in 4.3.6 and 5.0 RC1