SEC-1401: Https not honored in defaultTargetUrl #1644

Closed
spring-issuemaster opened this Issue Feb 7, 2010 · 6 comments

1 participant

@spring-issuemaster

salvin francis (Migrated from SEC-1401) said:

We are using the https protocol in our production environments with multiple clients.

using something like this:
authentication-failure-url="https://www.ourapp.com/FailureLogin.jsp"
always-use-default-target="false"
default-target-url="https://www.ourapp.com/SuccessLogin.jsp"/>

works where as using:
authentication-failure-url="/FailureLogin.jsp"
always-use-default-target="false"
default-target-url="/SuccessLogin.jsp"/>

does not work.
debugging and checking logs revealed that a call was made to http://www.ourapp.com/SuccessLogin.jsp
which does not exist.

Since our app is used in multiple environments, it is desirable to mention urls in this manner.

Is there a work around for this in code/config for Spring security 3.0.0 RC1 ?
This is not a duplicate of SEC-297 since thats related to documentation.

@spring-issuemaster

Luke Taylor said:

If you use a relative URL then the full redirect location is built by the servlet container, so I don't think this is a Spring Security bug.

Please don't raise issues against out-of-date releases. Check with the latest release first.

@spring-issuemaster

salvin francis said:

Hi luke,

I am sorry for raising an issue against an out-of-date release,
Actually I did refer to the release notes:
http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=10987
http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11380
http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11381

I didnt find any references to default-target-url or https (or maybe I missed it)

Personally i will not be able to verify this against 3.0.1 since I do not have access to the
production environment in my company.

As I mentioned in the bug description, I would be glad to know of any work arounds for this issue, and if 3.0.1 does not have this issue then I can pursue my company to switch to it.

I honestly do feel its a bug related to spring security bug though

@spring-issuemaster

Luke Taylor said:

There isn't any evidence that it is a bug. As I explained, the container is responsible for building the redirect URL. You can verify that this works by setting a default-target-url in the tutorial sample and running it (using mvn jetty:run from the codebase). If you then access it using https you are redirected to https.

@spring-issuemaster

salvin francis said:

I escalated this issue to higher authorities and here is the response I got:

"Our application runs on apache, apache is the https handler,our app is not running on https
our app is running on http behind the firewall, apache routes the request to our app"

This is making sense that since our app runs on http (internally) spring security sends it to an http url while we access it over https.

In that case, I admit its not a Spring bug and suggest a closure for this.

However I am still left with an open issue with no solution at hand :) any pointers over this?
would consider response over a thread rather than start a discussion in jira :)

Thread to continue discussion:
http://forum.springsource.org/showthread.php?p=283126#post283126

@spring-issuemaster

Mike Yin said:

As a note, I would consider this a feature request instead of a bug. Lots of companies have load balancers or firewalls that handle https. Would it be possible to construct site root relative urls or just allowing absolute urls as an argument?

@spring-issuemaster

salvin francis said:

too late, the bug is closed :)

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment