SEC-1067: Redirect on successful login not working for URLs with anchors/fragments #1318

Closed
spring-issuemaster opened this Issue Dec 29, 2008 · 3 comments

Projects

None yet

1 participant

@spring-issuemaster

Natalia Zinoviev (Migrated from SEC-1067) said:

I’ve attached a war to demostrate the problem, most of it is exactly the same as the sample tutorial war, all I’ve done is add a new page /secure/another-page.jsp

Steps to demonstrate problem:
1. user tries to go to a secured resource, e.g.
http://localhost:8080/spring-security-samples-tutorial-2.0.4/secure/another-page.jsp#second
2. user is re-directed to login page
3. user logs in
4. user is redirected to
http://localhost:8080/spring-security-samples-tutorial-2.0.4/secure/another-page.jsp

I’ve also submitted a post about this issue:
http://forum.springframework.org/showthread.php?p=219895#post219895

@spring-issuemaster

Blake Pettersson said:

According to the HTTP spec, fragments are not supposed to be included in the referer URI.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36

@spring-issuemaster

Luke Taylor said:

I don't think this is something we can do anything about. The fragment is not submitted by the browser to the server - it is only needed on the browser side to find the location in the page once it has been loaded. So it isn't possible for the server side to redirect to the full rebuilt URL, including the fragment.

If you need this kind of behaviour you will probably have to use a parameter based approach instead (and use javascript to set the location).

@spring-issuemaster

Jorge L Garcia Perez said:

As a patch, on the login form you can do this:

function setSubmitUrl(form){
var hash = unescape(self.document.location.hash.substring(1));
form.action = "j_spring_security_check#" + hash;
return true;
}
...

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment