Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1302: LoginUrlAuthenticationEntryPoint does not use RedirectStrategy #1548

spring-issuemaster opened this Issue Nov 19, 2009 · 4 comments


None yet
1 participant

Paul Tomlin (Migrated from SEC-1302) said:

RC2 does not seem to make use of the RedirectStrategy in buildRedirectUrlToLoginPage or buildHttpsRedirectUrlForRequest.

SEC-1153 has a comment by Luke Taylor noting configuration limitations for this class and the redirect strategy, though it's not clear (to me) exactly what it means, given that redirects in LoginUrlAuthenticationEntryPoint are not done via the strategy.

"Note that there are configuration limitations on the use of the redirect strategy for the standard LoginUrlAuthenticationEntryPoint (formerly AuthenticationProcessingFilterEntryPoint). For example, if it is attempting to redirect to an HTTPS URL, and a context-relative redirect strategy is used, then you will lose the HTTPS part. If necessary the entry point code should be overridden or a custom strategy should be written to make sure you end up with URLs that make sense to your clients and which work the way you want."

SEC-1226 superceded SEC-1153, but doesn't seem to handle the issue. Lukes comment noted above appears to have been made at the time SEC-1226 was closed.

Particularly the comment "custom strategy should be written" seems to indicate that LoginUrlAuthenticationEntryPoint should be using the RedirectStrategy.

This ticket is the result of me trying to get context relative redirect URLs when launching the authentication entry point. Currently it seems I'd have to subclass.

Paul Tomlin said:

Clearly I'm blind, LoginUrlAuthenticationEntryPoint is using the strategy...

Shai Yallin said:

Maybe I am blind, but I don't see where the strategy is being used. I'm watching r3924, where there's no mention of a RedirectionStrategy.... reopen?

Shai Yallin said:

My bad - there IS a strategy there (was looking at the wrong revision after all) but there's no setter for it!

Luke Taylor said:

LoginUrlAuthenticationEntryPoint is itself a strategy. The comment I made which is quoted to refers to that class. The fact that it uses the DefaultRedirectStrategy internally is an implementation detail.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment