Spring Security
  1. Spring Security
  2. SEC-1302

LoginUrlAuthenticationEntryPoint does not use RedirectStrategy

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: Web
    • Labels:
      None
    • Environment:
      SS3RC2

      Description

      RC2 does not seem to make use of the RedirectStrategy in buildRedirectUrlToLoginPage or buildHttpsRedirectUrlForRequest.

      SEC-1153 has a comment by Luke Taylor noting configuration limitations for this class and the redirect strategy, though it's not clear (to me) exactly what it means, given that redirects in LoginUrlAuthenticationEntryPoint are not done via the strategy.

      "Note that there are configuration limitations on the use of the redirect strategy for the standard LoginUrlAuthenticationEntryPoint (formerly AuthenticationProcessingFilterEntryPoint). For example, if it is attempting to redirect to an HTTPS URL, and a context-relative redirect strategy is used, then you will lose the HTTPS part. If necessary the entry point code should be overridden or a custom strategy should be written to make sure you end up with URLs that make sense to your clients and which work the way you want."

      SEC-1226 superceded SEC-1153, but doesn't seem to handle the issue. Lukes comment noted above appears to have been made at the time SEC-1226 was closed.

      Particularly the comment "custom strategy should be written" seems to indicate that LoginUrlAuthenticationEntryPoint should be using the RedirectStrategy.

      This ticket is the result of me trying to get context relative redirect URLs when launching the authentication entry point. Currently it seems I'd have to subclass.

        Activity

        Hide
        Paul Tomlin added a comment -

        Clearly I'm blind, LoginUrlAuthenticationEntryPoint is using the strategy...

        Show
        Paul Tomlin added a comment - Clearly I'm blind, LoginUrlAuthenticationEntryPoint is using the strategy...
        Hide
        Shai Yallin added a comment -

        Maybe I am blind, but I don't see where the strategy is being used. I'm watching r3924, where there's no mention of a RedirectionStrategy.... reopen?

        Show
        Shai Yallin added a comment - Maybe I am blind, but I don't see where the strategy is being used. I'm watching r3924, where there's no mention of a RedirectionStrategy.... reopen?
        Hide
        Shai Yallin added a comment -

        My bad - there IS a strategy there (was looking at the wrong revision after all) but there's no setter for it!

        Show
        Shai Yallin added a comment - My bad - there IS a strategy there (was looking at the wrong revision after all) but there's no setter for it!
        Hide
        Luke Taylor added a comment -

        LoginUrlAuthenticationEntryPoint is itself a strategy. The comment I made which is quoted to refers to that class. The fact that it uses the DefaultRedirectStrategy internally is an implementation detail.

        Show
        Luke Taylor added a comment - LoginUrlAuthenticationEntryPoint is itself a strategy. The comment I made which is quoted to refers to that class. The fact that it uses the DefaultRedirectStrategy internally is an implementation detail.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Paul Tomlin
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: