Spring Security
  1. Spring Security
  2. SEC-1255

Target-URL after successfull login differes from original URL, when it was encoded according to RFC 3986

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Web
    • Labels:
      None
    • Environment:
      Spring Security 2.0.5 Release

      Description

      Suppose a secured URL, that containes a special character (like '?'), which must be endoded according to RFC 3986.
      Example: "/sevletname/foo%3Fbar.html", where "%3F" encodes the "?".

      After an successfull login the URL is rebuild by org.springframework.security.util.UrlUtils.
      But UrlUtils builds up the full URL from its decoded parts, so that the rebuild URL becomes something like "http://HOSTNAME:PORT/servletname/foo?bar.html", which is not encoded correctly, thus resulting in a 404-Error.

      I suggest using the Request-URI, which is not decoded by the Servlet and contains - as far as I know, everything after the "http://HOSTNAME:PORT" up to the Query-String.
      That URI is not decoded by the Servlet, thus, the rebuild full URL would be still valid.

      Encoding the rebuild URL would not work, becaus all special characters (like contained slashes for example) would be encoded than, which is, as far as I know, not correct.

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for the report. I've modified the URL building for redirects to use the requestURI to ensure it remains encoded. The path matching URLs will still be decoded (i.e. those used for comparison with paths in intercept-url etc).

        Show
        Luke Taylor added a comment - Thanks for the report. I've modified the URL building for redirects to use the requestURI to ensure it remains encoded. The path matching URLs will still be decoded (i.e. those used for comparison with paths in intercept-url etc).

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Kai Moritz
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: