From 178ca56aaf038615ea3c013f14f7849116126394 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Thu, 26 Feb 2026 23:07:48 +0700 Subject: [PATCH 1/2] Fallback defaultTargetUrl if refererHeader is empty Closes gh-18805 Signed-off-by: Tran Ngoc Nhan --- .../AbstractAuthenticationTargetUrlRequestHandler.java | 8 +++++--- ...bstractAuthenticationTargetUrlRequestHandlerTests.java | 7 +++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java index d66f47ecce..ac29baec94 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java @@ -112,9 +112,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler { trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter); return targetUrlParameterValue; } - if (this.useReferer) { - trace("Using url %s from Referer header", request.getHeader("Referer")); - return request.getHeader("Referer"); + + String refererHeader = request.getHeader("Referer"); + if (this.useReferer && StringUtils.hasText(refererHeader)) { + trace("Using url %s from Referer header", refererHeader); + return refererHeader; } return this.defaultTargetUrl; } diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java index ef420054d6..8e434bf5ae 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java @@ -114,4 +114,11 @@ public class AbstractAuthenticationTargetUrlRequestHandlerTests { assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null)); } + @Test + void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() { + this.handler.setUseReferer(true); + this.request.addHeader("Referer", ""); + assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL); + } + } From 057e5181ea4f1b3ae31acd6cc0bfa78c91ab9699 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Wed, 25 Mar 2026 15:05:53 -0600 Subject: [PATCH 2/2] Adjust Formatting Issue gh-18805 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../AbstractAuthenticationTargetUrlRequestHandler.java | 5 ++++- .../AbstractAuthenticationTargetUrlRequestHandlerTests.java | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java index ac29baec94..f91140dd75 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java @@ -114,7 +114,10 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler { } String refererHeader = request.getHeader("Referer"); - if (this.useReferer && StringUtils.hasText(refererHeader)) { + if (!StringUtils.hasText(refererHeader)) { + return this.defaultTargetUrl; + } + if (this.useReferer) { trace("Using url %s from Referer header", refererHeader); return refererHeader; } diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java index 8e434bf5ae..8b744dd250 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java @@ -114,6 +114,7 @@ public class AbstractAuthenticationTargetUrlRequestHandlerTests { assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null)); } + // gh-18805 @Test void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() { this.handler.setUseReferer(true);