Simon Lam (Migrated from SEC-1498) said:
An absolute URL does not work when used as the login page using the security namespace http.
If my app is at http://localhost:8080/webapp. the resulting url will be http://localhost:8080/webapphttp://foo.com/login
Looking through the code, the problem lies in the method: LoginUrlAuthenticationEntryPoint.buildRedirectUrlToLoginPage.
As a workaround for now, I could subclass LoginUrlAuthenticationEntryPoint, override the buildRedirectUrlToLoginPage method, and then use an explicit bean rather than the security namespace config.
Luke Taylor said:
This isn't a bug - the Javadoc for LoginUrlAuthenticationEntryPoint is clear that the loginFormUrl is relative to the application context path.
Simon Lam said:
Oops, I missed that in the javadoc. I based this on the fact that in the afterPropertiesSet(), a URL starting with "http" is accepted. My mistake.
I've added support for absolute URLs.