From 540c7b2e6a5026aad649ab359e3087bbda53b134 Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Wed, 26 Apr 2006 04:36:54 +0000
Subject: [PATCH] SEC-229: Allow external URLs from AbstractProcessingFilter.

---
 .../acegisecurity/ui/AbstractProcessingFilter.java | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
index a367e5f73c..bff09198be 100644
--- a/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/AbstractProcessingFilter.java
@@ -350,6 +350,17 @@ public abstract class AbstractProcessingFilter implements Filter,
         return uri.endsWith(request.getContextPath() + filterProcessesUrl);
     }
 
+    protected void sendRedirect(HttpServletRequest request,
+        HttpServletResponse response, String failureUrl)
+        throws IOException {
+        if (!failureUrl.startsWith("http://")
+            && !failureUrl.startsWith("https://")) {
+            failureUrl = request.getContextPath() + failureUrl;
+        }
+
+        response.sendRedirect(response.encodeRedirectURL(failureUrl));
+    }
+
     public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl) {
         this.alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
     }
@@ -466,7 +477,6 @@ public abstract class AbstractProcessingFilter implements Filter,
 
         rememberMeServices.loginFail(request, response);
 
-        response.sendRedirect(response.encodeRedirectURL(request.getContextPath()
-                + failureUrl));
+        sendRedirect(request, response, failureUrl);
     }
 }