Spring Security
  1. Spring Security
  2. SEC-1328

RedirectUtils/DefaultRedirectStrategy contextRelative redirect doesn't account for url like http://context.xyz.com/context

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.5, 3.0.0.RC2
    • Fix Version/s: 3.0.0
    • Component/s: Web
    • Labels:
      None

      Description

      Unfortunately in our production URL the hostname starts with same string as the context so the code that searches for the context in order to strip off everything before it finds the first occurance and leaves a chunk of URL (since the slash from the protocol helps match the slash in the context).

      The current code does this:
      int len = request.getContextPath().length();
      int index = url.indexOf(request.getContextPath()) + len;
      finalUrl = url.substring(index);

      I fixed it by doing:
      url = url.replaceFirst(".*://", ""); // strip off protocol
      int len = request.getContextPath().length();
      int index = url.indexOf(request.getContextPath()) + len;
      finalUrl = url.substring(index);

      Since I am using spring-security-2.0.5 the only way I can fix is by copying the class and modifying it in my project to override the one in the jar. I suppose in Spring 3.0 I will be able to create my own RedirectStrategy. I know this probably will only ever impact me but I hope it is worth fixing.

      Thanks.

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for the report. Seems like a common enough situation that it is worth fixing.

        Show
        Luke Taylor added a comment - Thanks for the report. Seems like a common enough situation that it is worth fixing.
        Hide
        Luke Taylor added a comment -

        Should be fixed in trunk. I've basically followed your suggestion of stripping off the protocol up to "://"

        Show
        Luke Taylor added a comment - Should be fixed in trunk. I've basically followed your suggestion of stripping off the protocol up to "://"

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Hal Deadman
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: