Kai Moritz (Migrated from SEC-1255) said:
Suppose a secured URL, that containes a special character (like '?'), which must be endoded according to RFC 3986.
Example: "/sevletname/foo%3Fbar.html", where "%3F" encodes the "?".
After an successfull login the URL is rebuild by org.springframework.security.util.UrlUtils.
But UrlUtils builds up the full URL from its decoded parts, so that the rebuild URL becomes something like "http://HOSTNAME:PORT/servletname/foo?bar.html", which is not encoded correctly, thus resulting in a 404-Error.
I suggest using the Request-URI, which is not decoded by the Servlet and contains - as far as I know, everything after the "http://HOSTNAME:PORT" up to the Query-String.
That URI is not decoded by the Servlet, thus, the rebuild full URL would be still valid.
Encoding the rebuild URL would not work, becaus all special characters (like contained slashes for example) would be encoded than, which is, as far as I know, not correct.
Luke Taylor said:
Thanks for the report. I've modified the URL building for redirects to use the requestURI to ensure it remains encoded. The path matching URLs will still be decoded (i.e. those used for comparison with paths in intercept-url etc).