SEC-973: OpenIDAuthenticationProcessingFilter assumes https uses port 80 #1225

spring-issuemaster opened this Issue Sep 8, 2008 · 1 comment

1 participant


Jeremy Espino (Migrated from SEC-973) said:

OpenIDAuthenticationProcessingFilter when parsing the returnToUrl assumes port 80 even https is used. There should be some logic to utilize port 443, the default port for https if url.getPort equals -1.

if (mapping == null) {
try {

URL url = new URL; int port = (url.getPort() == -1) ? 80 : url.getPort();

Workaround is to utilize realmMapping property to make a hard map between returnToUrl and the existing returnToUrl bypassing the flawed logic. i.e.,

I also found that putting a debug statement in helped doing the realmMapping i.e.

protected String lookupRealm(String returnToUrl) {

String mapping = (String) realmMapping.get(returnToUrl); log.debug("returnToUrl value = " + returnToUrl);

Luke Taylor said:

I'm not really sure why it was appending the port at all in the case where url.getPort() was -1. If the port is standard then it doesn't need to be added to the URL whether it's using http or https. I've modified the code to only add the port if the getPort() method returns a value > 0.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment