SEC-1610: Allow absolute URLs in form-login tag #1850

spring-issuemaster opened this Issue Nov 2, 2010 · 1 comment


None yet

1 participant


Scott Murphy (Migrated from SEC-1610) said:

In some cases it would be useful to be able to post to a non-relative URL. Specifically if you want your login-processing-url to be https. (coming from an http login form)

Currently, you use the form-login tag something like this:

I would like to be able to use either 1)

or 2)

Currently, urls are restricted to being relative and/or don't allow you to specify the channel which makes this not possible.

To make 1) possible, all that is required is an update to the

~ Line 128

   if (formLoginEnabled) {
        sb.append("<h3>Login with Username and Password</h3>");
        sb.append("<form name='f' action='").append(request.getContextPath()).append(authenticationUrl).append("' method='POST'>\n");
        sb.append(" <table>\n");
        sb.append("    <tr><td>User:</td><td><input type='text' name='");
        sb.append(usernameParameter).append("' value='").append(lastUser).append("'></td></tr>\n");
        sb.append("    <tr><td>Password:</td><td><input type='password' name='").append(passwordParameter).append("'/></td></tr>\n");





to check to see if the url contains the channel, and if it does, request.getContextPath() is not appended.

To do 2) would need to be updated to take the new parameter as well as updating DefaultLoginPageGeneratingFilter and the schema for the form-login tag.

I understand that this is not ideally secure and would require the following tag in the security config:

However, it does provide the security for passwords by not sending them as plain text over http.

http -> https -> http
Is also common practice by most popular consumer sites that don't need to secure confidential material other than the initial login.


Login Form:
Login Processing URL:

Login Form:
Login Processing URL:

Using https for everything is just not realistic when you have a lot of media content you want to deliver over http as well as ad content.
Delivering mixed https/http content results in a browser warning that negatively impacts the user's experience.


Luke Taylor said:

I'd recommend you implement your own login page if you want to do this and make sure the page is also loaded over https. That way you have full control over the URL. DefaultLoginPageGeneratingFilter is mainly intended for getting simple prototypes or examples up and running. The login-processing-url attribute is used to configure the UsernamePasswordAuthenticationFilter (it sets a property on AbstractAuthenticationProcessingFilter), so its primary purpose isn't actually related to rendering the login page.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment