SEC-1588: AbstractRetryEntryPoint doesn't encode redirect urls #1827

Closed
spring-issuemaster opened this Issue Oct 8, 2010 · 7 comments

1 participant

@spring-issuemaster

Felix Becker (Migrated from SEC-1588) said:

We are using Security for a Webproject. When the user is in a protected area, https is used for all calls. When the user navigats to a side which is an unprotected area, he'll be redirected from https to http (user requests https://unprotected.area and is redirected to http://unprotected.area by spring security). The AbstractRetryEntryPoint handling this redirect in it's commence() method doesn't encode the url. Possible special characters in the redirect url aren't escaped therefore. This causes redirections to non existing pages when the url contains special characters like german umlauts users browser doesn't understand that special chars.

Please encode the url with the URLEncoder before sending an redirect. Thanks

Felix Becker

@spring-issuemaster

Felix Becker said:

Patched source files resolving this issue. Patched 2 unit tests (they didn't provide all needed informations in their HttpServletRequestMock) and they didn't check the redirect case for urls with encoded special chars (added case for spaces (%20)).

Commence method of AbstractRetryEntryPoint cleaned up and fixed.

@spring-issuemaster

Felix Becker said:

this files compile with an 1.4 source level. if it's a requirement that this version of spring security runs on a jdk 1.4 you have to remove the StringBuilder in the AbstractRetryEntryPoint and replace it with a string buffer.

@spring-issuemaster

Felix Becker said:

http://github.com/fbe/Spring-Security/tree/2.0.4-fix public git with fixed 2.0.4, fully compatible to java 1.4.

@spring-issuemaster

Luke Taylor said:

This is essentially a duplicate of SEC-1500, so is already fixed in the 3+ codebase.

@spring-issuemaster

Felix Becker said:

So there won't be an official Fix for the 2.X Codebase? Are no more releases for the 2.X Codebase planned?

@spring-issuemaster

Luke Taylor said:

No. Version 3 has been out for almost 2 years now. Releases only continue until next major release is out. Check the Maintenance Policy for more information
http://www.springsource.com/products/enterprise/maintenancepolicy/faq .

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment