-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect using a relative URL #7273
Comments
I was going to open an issue "HttpSecurity.formLogin() ignores server.tomcat.use-relative-redirects=true" but that might be a duplicate of this issue. I don't understand enough of Spring internals to be sure. Are they the same? Is there a way for an application to force the login redirection to use relative URLs, even if the framework doesn't do it automatically or if it doesn't work in all cases? Impact: |
When I posted my earlier comment, I was completely lost. The proposed fix for this issue put me on a path to understanding the control flow. I think the absolute URL is created in LoginUrlAuthenticationEntryPoint. buildRedirectUrlToLoginPage(), which goes out of its way to convert a relative URL to an absolute one, conforming to the obsolete RFC. I was able to work around this problem in my application by creating a subclass of
This ignores any port mapper configuration, so it won't work for everyone. |
This places the new functionality behind a setting so that we can remain passive until we can change the setting in the next major release. Issue spring-projectsgh-7273
This places the new functionality behind a setting so that we can remain passive until we can change the setting in the next major release. Issue spring-projectsgh-7273
This places the new functionality behind a setting so that we can remain passive until we can change the setting in the next major release. Issue spring-projectsgh-7273
This places the new functionality behind a setting so that we can remain passive until we can change the setting in the next major release. Issue spring-projectsgh-7273
This places the new functionality behind a setting so that we can remain passive until we can change the setting in the next major release. Issue gh-7273
Note that I removed the |
Spring Security originally redirected on authentication success with an absolute URL, conforming to https://www.rfc-editor.org/rfc/rfc2616#section-14.30. More broadly, any redirects to within the application should use relative URL
However, this RFC is now obsolete. To that end, the reactive stack redirects using a relative URL. It would be good to bring the servlet code into alignment.
The text was updated successfully, but these errors were encountered: