Spring Security
  1. Spring Security
  2. SEC-1588

AbstractRetryEntryPoint doesn't encode redirect urls

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.1.0.M2
    • Component/s: None
    • Labels:
      None
    • Environment:
      RHEL5, Tomcat 6, JDK 1.6

      Description

      We are using Security for a Webproject. When the user is in a protected area, https is used for all calls. When the user navigats to a side which is an unprotected area, he'll be redirected from https to http (user requests https://unprotected.area and is redirected to http://unprotected.area by spring security). The AbstractRetryEntryPoint handling this redirect in it's commence() method doesn't encode the url. Possible special characters in the redirect url aren't escaped therefore. This causes redirections to non existing pages when the url contains special characters like german umlauts users browser doesn't understand that special chars.

      Please encode the url with the URLEncoder before sending an redirect. Thanks

      Felix Becker

      1. AbstractRetryEntryPoint.java
        3 kB
        Felix Becker
      2. AbstractRetryEntryPoint.java
        3 kB
        Felix Becker
      3. RetryWithHttpEntryPointTests.java
        6 kB
        Felix Becker
      4. RetryWithHttpEntryPointTests.java
        6 kB
        Felix Becker
      5. RetryWithHttpsEntryPointTests.java
        6 kB
        Felix Becker
      6. RetryWithHttpsEntryPointTests.java
        6 kB
        Felix Becker

        Activity

        Hide
        Felix Becker added a comment -
        Show
        Felix Becker added a comment - http://git.springsource.org/spring-security/spring-security/blobs/2.0.x/core/src/main/java/org/springframework/security/securechannel/AbstractRetryEntryPoint.java line 70 is the affected line. The encodeRedirectURL is only for encoding a session id.
        Hide
        Felix Becker added a comment -

        Patched source files resolving this issue. Patched 2 unit tests (they didn't provide all needed informations in their HttpServletRequestMock) and they didn't check the redirect case for urls with encoded special chars (added case for spaces (%20)).

        Commence method of AbstractRetryEntryPoint cleaned up and fixed.

        Show
        Felix Becker added a comment - Patched source files resolving this issue. Patched 2 unit tests (they didn't provide all needed informations in their HttpServletRequestMock) and they didn't check the redirect case for urls with encoded special chars (added case for spaces (%20)). Commence method of AbstractRetryEntryPoint cleaned up and fixed.
        Hide
        Felix Becker added a comment -

        this files compile with an 1.4 source level. if it's a requirement that this version of spring security runs on a jdk 1.4 you have to remove the StringBuilder in the AbstractRetryEntryPoint and replace it with a string buffer.

        Show
        Felix Becker added a comment - this files compile with an 1.4 source level. if it's a requirement that this version of spring security runs on a jdk 1.4 you have to remove the StringBuilder in the AbstractRetryEntryPoint and replace it with a string buffer.
        Hide
        Felix Becker added a comment -

        http://github.com/fbe/Spring-Security/tree/2.0.4-fix public git with fixed 2.0.4, fully compatible to java 1.4.

        Show
        Felix Becker added a comment - http://github.com/fbe/Spring-Security/tree/2.0.4-fix public git with fixed 2.0.4, fully compatible to java 1.4.
        Hide
        Luke Taylor added a comment -

        This is essentially a duplicate of SEC-1500, so is already fixed in the 3+ codebase.

        Show
        Luke Taylor added a comment - This is essentially a duplicate of SEC-1500 , so is already fixed in the 3+ codebase.
        Hide
        Felix Becker added a comment -

        So there won't be an official Fix for the 2.X Codebase? Are no more releases for the 2.X Codebase planned?

        Show
        Felix Becker added a comment - So there won't be an official Fix for the 2.X Codebase? Are no more releases for the 2.X Codebase planned?
        Hide
        Luke Taylor added a comment -

        No. Version 3 has been out for almost 2 years now. Releases only continue until next major release is out. Check the Maintenance Policy for more information
        http://www.springsource.com/products/enterprise/maintenancepolicy/faq .

        Show
        Luke Taylor added a comment - No. Version 3 has been out for almost 2 years now. Releases only continue until next major release is out. Check the Maintenance Policy for more information http://www.springsource.com/products/enterprise/maintenancepolicy/faq .

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Felix Becker
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: