Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1588: AbstractRetryEntryPoint doesn't encode redirect urls #1827

Closed
spring-issuemaster opened this Issue Oct 8, 2010 · 7 comments

Comments

Projects
None yet
1 participant

Felix Becker (Migrated from SEC-1588) said:

We are using Security for a Webproject. When the user is in a protected area, https is used for all calls. When the user navigats to a side which is an unprotected area, he'll be redirected from https to http (user requests https://unprotected.area and is redirected to http://unprotected.area by spring security). The AbstractRetryEntryPoint handling this redirect in it's commence() method doesn't encode the url. Possible special characters in the redirect url aren't escaped therefore. This causes redirections to non existing pages when the url contains special characters like german umlauts users browser doesn't understand that special chars.

Please encode the url with the URLEncoder before sending an redirect. Thanks

Felix Becker

Felix Becker said:

Patched source files resolving this issue. Patched 2 unit tests (they didn't provide all needed informations in their HttpServletRequestMock) and they didn't check the redirect case for urls with encoded special chars (added case for spaces (%20)).

Commence method of AbstractRetryEntryPoint cleaned up and fixed.

Felix Becker said:

this files compile with an 1.4 source level. if it's a requirement that this version of spring security runs on a jdk 1.4 you have to remove the StringBuilder in the AbstractRetryEntryPoint and replace it with a string buffer.

Felix Becker said:

http://github.com/fbe/Spring-Security/tree/2.0.4-fix public git with fixed 2.0.4, fully compatible to java 1.4.

Luke Taylor said:

This is essentially a duplicate of SEC-1500, so is already fixed in the 3+ codebase.

Felix Becker said:

So there won't be an official Fix for the 2.X Codebase? Are no more releases for the 2.X Codebase planned?

Luke Taylor said:

No. Version 3 has been out for almost 2 years now. Releases only continue until next major release is out. Check the Maintenance Policy for more information
http://www.springsource.com/products/enterprise/maintenancepolicy/faq .

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment