Spring Security
  1. Spring Security
  2. SEC-1067

Redirect on successful login not working for URLs with anchors/fragments

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      I've attached a war to demostrate the problem, most of it is exactly the same as the sample tutorial war, all I've done is add a new page /secure/another-page.jsp

      Steps to demonstrate problem:
      1. user tries to go to a secured resource, e.g.
      http://localhost:8080/spring-security-samples-tutorial-2.0.4/secure/another-page.jsp#second
      2. user is re-directed to login page
      3. user logs in
      4. user is redirected to
      http://localhost:8080/spring-security-samples-tutorial-2.0.4/secure/another-page.jsp

      I've also submitted a post about this issue:
      http://forum.springframework.org/showthread.php?p=219895#post219895

        Activity

        Hide
        Blake Pettersson added a comment -

        According to the HTTP spec, fragments are not supposed to be included in the referer URI.

        http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36

        Show
        Blake Pettersson added a comment - According to the HTTP spec, fragments are not supposed to be included in the referer URI. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36
        Hide
        Luke Taylor added a comment -

        I don't think this is something we can do anything about. The fragment is not submitted by the browser to the server - it is only needed on the browser side to find the location in the page once it has been loaded. So it isn't possible for the server side to redirect to the full rebuilt URL, including the fragment.

        If you need this kind of behaviour you will probably have to use a parameter based approach instead (and use javascript to set the location).

        Show
        Luke Taylor added a comment - I don't think this is something we can do anything about. The fragment is not submitted by the browser to the server - it is only needed on the browser side to find the location in the page once it has been loaded. So it isn't possible for the server side to redirect to the full rebuilt URL, including the fragment. If you need this kind of behaviour you will probably have to use a parameter based approach instead (and use javascript to set the location).
        Hide
        Jorge L Garcia Perez added a comment -

        As a patch, on the login form you can do this:

        function setSubmitUrl(form)

        { var hash = unescape(self.document.location.hash.substring(1)); form.action = "j_spring_security_check#" + hash; return true; }

        ...
        <FORM method="get" onSubmit="return setSubmitUrl(this);">

        Show
        Jorge L Garcia Perez added a comment - As a patch, on the login form you can do this: function setSubmitUrl(form) { var hash = unescape(self.document.location.hash.substring(1)); form.action = "j_spring_security_check#" + hash; return true; } ... <FORM method="get" onSubmit="return setSubmitUrl(this);">

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Natalia Zinoviev
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: