Spring Security
  1. Spring Security
  2. SEC-1674

absolute paths should be allowed for security:form-login and security:logout attributes.

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.1.0.RC2
    • Component/s: Web
    • Labels:
      None

      Description

      absolute paths should be allowed for security:form-login and security:logout attributes.

      For instance, login-page doesn't work with an absolute path. But if LoginUrlAuthenticationEntryPoint.buildRedirectUrlToLoginPage's first lines were changed to:

      protected String buildRedirectUrlToLoginPage(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) {
      String loginForm = determineUrlToUseForThisRequest(request, response, authException);

      /** Allow support for absolute URIs */
      if(URI.create(loginForm).isAbsolute())

      { return loginForm; }

      // continue on with existing logic
      }

      Then comes the inevitable question of why would you want to do this. Consider that someone is using spring-mvc to build an API on domain api.test.com, but a set of non-java, front-end user pages on ui.test.com.

      So, api.test.com performs all database/backend logic. In this circumstance, if someone were to go to api.test.com directly in their browser, I would possibly want to redirect them to ui.test.com to login (where ui.test.com has a form with method=http://api.test.com's/login.do or equivalent).

      So in this case, I need to specify:
      <security:form-login login-page=http://ui.test.com/login>,
      which won't work unless the above patch (or something similiar) is implemented.

        Activity

        Hide
        Luke Taylor added a comment -

        Looks like a duplicate. Support for absolute URLs was added in SEC-1498.

        Show
        Luke Taylor added a comment - Looks like a duplicate. Support for absolute URLs was added in SEC-1498 .
        Hide
        Seth Call added a comment -

        Thanks Luke for the update and the actual fix, and sorry for missing the duplicate.

        Show
        Seth Call added a comment - Thanks Luke for the update and the actual fix, and sorry for missing the duplicate.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Seth Call
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: