Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1255: Target-URL after successfull login differes from original URL, when it was encoded according to RFC 3986 #1507

spring-issuemaster opened this Issue Oct 1, 2009 · 1 comment


None yet
1 participant

Kai Moritz (Migrated from SEC-1255) said:

Suppose a secured URL, that containes a special character (like '?'), which must be endoded according to RFC 3986.
Example: "/sevletname/foo%3Fbar.html", where "%3F" encodes the "?".

After an successfull login the URL is rebuild by org.springframework.security.util.UrlUtils.
But UrlUtils builds up the full URL from its decoded parts, so that the rebuild URL becomes something like "http://HOSTNAME:PORT/servletname/foo?bar.html", which is not encoded correctly, thus resulting in a 404-Error.

I suggest using the Request-URI, which is not decoded by the Servlet and contains - as far as I know, everything after the "http://HOSTNAME:PORT" up to the Query-String.
That URI is not decoded by the Servlet, thus, the rebuild full URL would be still valid.

Encoding the rebuild URL would not work, becaus all special characters (like contained slashes for example) would be encoded than, which is, as far as I know, not correct.

Luke Taylor said:

Thanks for the report. I've modified the URL building for redirects to use the requestURI to ensure it remains encoded. The path matching URLs will still be decoded (i.e. those used for comparison with paths in intercept-url etc).

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment