Spring Security
  1. Spring Security
  2. SEC-1980

Misleading warning about incorrect redirect URL

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2
    • Component/s: Namespace
    • Labels:
      None

      Description

      We've started using SpEL expressions to avoid duplicating URL patterns between security.xml and our MVC controller mappings.

      E.g.

      <form-login 
          login-page="#{T(com.acme.Sitemap).LOGIN}" 
          authentication-failure-url="#{T(com.acme.Sitemap).AUTH_ERROR}"/>
      

      Now we keep seeing spurious warnings like

      FailFastProblemReporter - Configuration problem: #{ T(com.acme.Sitemap).AUTH_ERROR} is not a valid redirect URL (must start with '/' or http(s))
      

      This appears to be caused by WebConfigUtils.validateHttpRedirect() which checks for a '$' placeholder character but not for a '#' SpEL character.

        Activity

        Hide
        Rob Winch added a comment -

        Thank you for reporting this issue. I have pushed a fix to master.

        Show
        Rob Winch added a comment - Thank you for reporting this issue. I have pushed a fix to master.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Harald Wellmann
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Time Spent - 50m Remaining Estimate - 10m
              10m
              Logged:
              Time Spent - 50m Remaining Estimate - 10m
              50m