Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.2
    • Component/s: Web
    • Labels:
      None
    • Environment:
      https protocol

      Description

      We are using the https protocol in our production environments with multiple clients.

      using something like this:
      <form-login login-page="/Login.html"
      authentication-failure-url="https://www.ourapp.com/FailureLogin.jsp"
      always-use-default-target="false"
      default-target-url="https://www.ourapp.com/SuccessLogin.jsp"/>

      works where as using:
      <form-login login-page="/Login.html"
      authentication-failure-url="/FailureLogin.jsp"
      always-use-default-target="false"
      default-target-url="/SuccessLogin.jsp"/>

      does not work.
      debugging and checking logs revealed that a call was made to http://www.ourapp.com/SuccessLogin.jsp
      which does not exist.

      Since our app is used in multiple environments, it is desirable to mention urls in this manner.

      Is there a work around for this in code/config for Spring security 3.0.0 RC1 ?
      This is not a duplicate of SEC-297 since thats related to documentation.

        Activity

        Hide
        Luke Taylor added a comment -

        If you use a relative URL then the full redirect location is built by the servlet container, so I don't think this is a Spring Security bug.

        Please don't raise issues against out-of-date releases. Check with the latest release first.

        Show
        Luke Taylor added a comment - If you use a relative URL then the full redirect location is built by the servlet container, so I don't think this is a Spring Security bug. Please don't raise issues against out-of-date releases. Check with the latest release first.
        Hide
        salvin francis added a comment -

        Hi luke,

        I am sorry for raising an issue against an out-of-date release,
        Actually I did refer to the release notes:
        http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=10987
        http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11380
        http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11381

        I didnt find any references to default-target-url or https (or maybe I missed it)

        Personally i will not be able to verify this against 3.0.1 since I do not have access to the
        production environment in my company.

        As I mentioned in the bug description, I would be glad to know of any work arounds for this issue, and if 3.0.1 does not have this issue then I can pursue my company to switch to it.

        I honestly do feel its a bug related to spring security bug though

        Show
        salvin francis added a comment - Hi luke, I am sorry for raising an issue against an out-of-date release, Actually I did refer to the release notes: http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=10987 http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11380 http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&version=11381 I didnt find any references to default-target-url or https (or maybe I missed it) Personally i will not be able to verify this against 3.0.1 since I do not have access to the production environment in my company. As I mentioned in the bug description, I would be glad to know of any work arounds for this issue, and if 3.0.1 does not have this issue then I can pursue my company to switch to it. I honestly do feel its a bug related to spring security bug though
        Hide
        Luke Taylor added a comment - - edited

        There isn't any evidence that it is a bug. As I explained, the container is responsible for building the redirect URL. You can verify that this works by setting a default-target-url in the tutorial sample and running it (using mvn jetty:run from the codebase). If you then access it using https you are redirected to https.

        Show
        Luke Taylor added a comment - - edited There isn't any evidence that it is a bug. As I explained, the container is responsible for building the redirect URL. You can verify that this works by setting a default-target-url in the tutorial sample and running it (using mvn jetty:run from the codebase). If you then access it using https you are redirected to https.
        Hide
        salvin francis added a comment -

        I escalated this issue to higher authorities and here is the response I got:

        "Our application runs on apache, apache is the https handler,our app is not running on https
        our app is running on http behind the firewall, apache routes the request to our app"

        This is making sense that since our app runs on http (internally) spring security sends it to an http url while we access it over https.

        In that case, I admit its not a Spring bug and suggest a closure for this.

        However I am still left with an open issue with no solution at hand any pointers over this?
        would consider response over a thread rather than start a discussion in jira

        Thread to continue discussion:
        http://forum.springsource.org/showthread.php?p=283126#post283126

        Show
        salvin francis added a comment - I escalated this issue to higher authorities and here is the response I got: "Our application runs on apache, apache is the https handler,our app is not running on https our app is running on http behind the firewall, apache routes the request to our app" This is making sense that since our app runs on http (internally) spring security sends it to an http url while we access it over https. In that case, I admit its not a Spring bug and suggest a closure for this. However I am still left with an open issue with no solution at hand any pointers over this? would consider response over a thread rather than start a discussion in jira Thread to continue discussion: http://forum.springsource.org/showthread.php?p=283126#post283126
        Hide
        Mike Yin added a comment -

        As a note, I would consider this a feature request instead of a bug. Lots of companies have load balancers or firewalls that handle https. Would it be possible to construct site root relative urls or just allowing absolute urls as an argument?

        Show
        Mike Yin added a comment - As a note, I would consider this a feature request instead of a bug. Lots of companies have load balancers or firewalls that handle https. Would it be possible to construct site root relative urls or just allowing absolute urls as an argument?
        Hide
        salvin francis added a comment -

        too late, the bug is closed

        Show
        salvin francis added a comment - too late, the bug is closed

          People

          • Assignee:
            Luke Taylor
            Reporter:
            salvin francis
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: