Affects Version/s: 3.0.4, 2.0.6, 3.1.0.M2
When the FilterChain is not completed within FilterChainProxy, FirewalledRequest.reset() is not called. This can cause the wrong pathInfo and servletPath to be exposed when a forward or include is performed within the FilterChainProxy's filters and using DefaultHttpFirewall. The reason is because the pathInfo and the servletPath are still cached from the original request and reset was never called.
The following configuration will demonstrate the issue. When an invalid username/password is submitted, the request is forwarded to /login.jsp?login_error=1. However, when the JspServlet attempts to process the URL it sees the HttpServeltRequest.servletPath as RequestWrapper.strippedServletPath (/j_spring_security_check) instead of the new servletPath /login.jsp.
<intercept-url pattern="/admin/secure.jsp" access="ROLE_ADMIN"/>
<form-login login-page="/login.jsp" authentication-failure-handler-ref="afh"/>
<b:bean id="afh" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
<user name="un" password="pwd" authorities="ROLE_ADMIN"/>
I have not yet validated this occurs in 3.1.0.M2 but marked it as impacted to ensure it at least gets looked at.