Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect using a relative URL #7273

Closed
Tracked by #12971
jzheaux opened this issue Aug 17, 2019 · 3 comments · Fixed by #14714
Closed
Tracked by #12971

Redirect using a relative URL #7273

jzheaux opened this issue Aug 17, 2019 · 3 comments · Fixed by #14714
Assignees
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 17, 2019

Spring Security originally redirected on authentication success with an absolute URL, conforming to https://www.rfc-editor.org/rfc/rfc2616#section-14.30. More broadly, any redirects to within the application should use relative URL

However, this RFC is now obsolete. To that end, the reactive stack redirects using a relative URL. It would be good to bring the servlet code into alignment.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Aug 17, 2019
@jzheaux jzheaux added this to the 5.2.0.RC1 milestone Aug 17, 2019
@jzheaux jzheaux self-assigned this Aug 17, 2019
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 5, 2019
@jzheaux jzheaux modified the milestones: 5.2.0.RC1, 5.2.0 Sep 5, 2019
@jzheaux jzheaux modified the milestones: 5.2.0, 5.3.x Sep 29, 2019
@jzheaux jzheaux removed their assignment Apr 17, 2020
@rwinch rwinch modified the milestones: 5.3.x, 6.x Apr 13, 2021
@rwinch rwinch changed the title Authentication success should redirect using a relative URL Redirect using a relative URL Apr 13, 2021
@rwinch rwinch added the type: breaks-passivity A change that breaks passivity with the previous release label Jun 13, 2022
@davidcostanzo
Copy link

I was going to open an issue "HttpSecurity.formLogin() ignores server.tomcat.use-relative-redirects=true" but that might be a duplicate of this issue. I don't understand enough of Spring internals to be sure. Are they the same?

Is there a way for an application to force the login redirection to use relative URLs, even if the framework doesn't do it automatically or if it doesn't work in all cases?

Impact:
My application has a problem where HttpSecurity.formLogin() ignores the server.tomcat.use-relative-redirects=true property. My application sometimes sits behind a reverse proxy that acts as a TLS endpoint. In this scenario when people use my application through the proxy with HTTPS, all of my application's redirects are relative and thus continue to use HTTPS except for the login page. The impact is that people end up transmitting their credentials unencrypted even though they thought they were using HTTPS.

@davidcostanzo
Copy link

When I posted my earlier comment, I was completely lost. The proposed fix for this issue put me on a path to understanding the control flow. I think the absolute URL is created in LoginUrlAuthenticationEntryPoint. buildRedirectUrlToLoginPage(), which goes out of its way to convert a relative URL to an absolute one, conforming to the obsolete RFC.

I was able to work around this problem in my application by creating a subclass of LoginUrlAuthenticationEntryPoint that overrides buildRedirectUrlToLoginPage to return the URL that determineUrlToUseForThisRequest returns, which is a relative URL in my case. In my application's SecurityFilterChain bean, it additionally configures the HttpSecurity with

   http.exceptionHandling(exceptionHandling -> {
       exceptionHandling.authenticationEntryPoint(new MyLoginUrlAuthenticationEntryPoint("/login"));
   });

This ignores any port mapper configuration, so it won't work for everyone.

@sjohnr sjohnr removed this from the 6.0.x milestone Nov 27, 2023
Pistolnik added a commit to Pistolnik/spring-security that referenced this issue Mar 10, 2024
Pistolnik added a commit to Pistolnik/spring-security that referenced this issue Mar 10, 2024
jzheaux added a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue spring-projectsgh-7273
jzheaux added a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue spring-projectsgh-7273
jzheaux pushed a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
jzheaux added a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue spring-projectsgh-7273
jzheaux pushed a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
jzheaux added a commit to Pistolnik/spring-security that referenced this issue Dec 18, 2024
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue spring-projectsgh-7273
jzheaux pushed a commit that referenced this issue Dec 18, 2024
jzheaux added a commit that referenced this issue Dec 18, 2024
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue gh-7273
@jzheaux jzheaux self-assigned this Dec 18, 2024
@jzheaux jzheaux removed the type: breaks-passivity A change that breaks passivity with the previous release label Dec 18, 2024
@jzheaux
Copy link
Contributor Author

jzheaux commented Dec 18, 2024

Note that I removed the breaks-passivity label by putting this behind a setting, setFavorRedirectUris. This default will get switched in Spring Security 7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Status: No status
4 participants