Felix Becker (Migrated from SEC-1588) said:
We are using Security for a Webproject. When the user is in a protected area, https is used for all calls. When the user navigats to a side which is an unprotected area, he'll be redirected from https to http (user requests https://unprotected.area and is redirected to http://unprotected.area by spring security). The AbstractRetryEntryPoint handling this redirect in it's commence() method doesn't encode the url. Possible special characters in the redirect url aren't escaped therefore. This causes redirections to non existing pages when the url contains special characters like german umlauts users browser doesn't understand that special chars.
Please encode the url with the URLEncoder before sending an redirect. Thanks
Felix Becker said:
http://git.springsource.org/spring-security/spring-security/blobs/2.0.x/core/src/main/java/org/springframework/security/securechannel/AbstractRetryEntryPoint.java line 70 is the affected line. The encodeRedirectURL is only for encoding a session id.
Patched source files resolving this issue. Patched 2 unit tests (they didn't provide all needed informations in their HttpServletRequestMock) and they didn't check the redirect case for urls with encoded special chars (added case for spaces (%20)).
Commence method of AbstractRetryEntryPoint cleaned up and fixed.
this files compile with an 1.4 source level. if it's a requirement that this version of spring security runs on a jdk 1.4 you have to remove the StringBuilder in the AbstractRetryEntryPoint and replace it with a string buffer.
http://github.com/fbe/Spring-Security/tree/2.0.4-fix public git with fixed 2.0.4, fully compatible to java 1.4.
Luke Taylor said:
This is essentially a duplicate of SEC-1500, so is already fixed in the 3+ codebase.
So there won't be an official Fix for the 2.X Codebase? Are no more releases for the 2.X Codebase planned?
No. Version 3 has been out for almost 2 years now. Releases only continue until next major release is out. Check the Maintenance Policy for more information