SEC-1674: absolute paths should be allowed for security:form-login and security:logout attributes. #1915

Closed
spring-issuemaster opened this Issue Feb 8, 2011 · 2 comments

1 participant

@spring-issuemaster

Seth Call (Migrated from SEC-1674) said:

absolute paths should be allowed for security:form-login and security:logout attributes.

For instance, login-page doesn't work with an absolute path. But if LoginUrlAuthenticationEntryPoint.buildRedirectUrlToLoginPage's first lines were changed to:

protected String buildRedirectUrlToLoginPage(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) {
String loginForm = determineUrlToUseForThisRequest(request, response, authException);

    /** Allow support for absolute URIs */
    if(URI.create(loginForm).isAbsolute()) {
        return loginForm;
    }

    // continue on with existing logic

}

Then comes the inevitable question of why would you want to do this. Consider that someone is using spring-mvc to build an API on domain api.test.com, but a set of non-java, front-end user pages on ui.test.com.

So, api.test.com performs all database/backend logic. In this circumstance, if someone were to go to api.test.com directly in their browser, I would possibly want to redirect them to ui.test.com to login (where ui.test.com has a form with method=http://api.test.com's/login.do or equivalent).

So in this case, I need to specify:
,
which won't work unless the above patch (or something similiar) is implemented.

@spring-issuemaster

Luke Taylor said:

Looks like a duplicate. Support for absolute URLs was added in SEC-1498.

@spring-issuemaster

Seth Call said:

Thanks Luke for the update and the actual fix, and sorry for missing the duplicate.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment