From 7be32872e97644344b9b12fcc500a153e3a9b044 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:57:17 -0500
Subject: [PATCH] Add DisableUrlRewritingFilter

Closes gh-11084
---
 .../annotation/web/HttpSecurityBuilder.java   |  2 +
 .../web/builders/FilterOrderRegistration.java |  2 +
 .../SessionManagementConfigurer.java          |  4 +
 .../config/http/HttpConfigurationBuilder.java | 24 ++++-
 .../security/config/http/SecurityFilters.java |  2 +
 .../security/config/spring-security-6.0.rnc   |  2 +-
 .../security/config/spring-security-6.0.xsd   |  1 +
 .../FilterOrderRegistrationTests.java         |  2 +-
 .../SessionManagementConfigurerTests.java     | 93 +++++++++++++++++++
 .../config/http/MiscHttpConfigTests.java      | 26 ++++++
 ...ewriting-NullSecurityContextRepository.xml | 32 +++++++
 .../servlet/configuration/xml-namespace.adoc  |  4 +
 .../web/session/DisableEncodeUrlFilter.java   | 86 +++++++++++++++++
 .../session/DisableEncodeUrlFilterTests.java  | 72 ++++++++++++++
 14 files changed, 345 insertions(+), 7 deletions(-)
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DisableUrlRewriting-NullSecurityContextRepository.xml
 create mode 100644 web/src/main/java/org/springframework/security/web/session/DisableEncodeUrlFilter.java
 create mode 100644 web/src/test/java/org/springframework/security/web/session/DisableEncodeUrlFilterTests.java

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java b/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
index 28aa1f641e..998777d5c0 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
@@ -41,6 +41,7 @@ import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 
 /**
@@ -123,6 +124,7 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>>
 	 * The ordering of the Filters is:
 	 *
 	 * <ul>
+	 * <li>{@link DisableEncodeUrlFilter}</li>
 	 * <li>{@link ChannelProcessingFilter}</li>
 	 * <li>{@link SecurityContextPersistenceFilter}</li>
 	 * <li>{@link LogoutFilter}</li>
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
index ce955df3e3..7576c4a55c 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java
@@ -46,6 +46,7 @@ import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.web.filter.CorsFilter;
 
@@ -68,6 +69,7 @@ final class FilterOrderRegistration {
 
 	FilterOrderRegistration() {
 		Step order = new Step(INITIAL_ORDER, ORDER_STEP);
+		put(DisableEncodeUrlFilter.class, order.next());
 		put(ChannelProcessingFilter.class, order.next());
 		order.next(); // gh-8105
 		put(WebAsyncManagerIntegrationFilter.class, order.next());
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
index d9d69f7cea..d44b5e8d42 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -52,6 +52,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
 import org.springframework.security.web.session.SessionManagementFilter;
@@ -376,6 +377,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 			concurrentSessionFilter = postProcess(concurrentSessionFilter);
 			http.addFilter(concurrentSessionFilter);
 		}
+		if (!this.enableSessionUrlRewriting) {
+			http.addFilter(new DisableEncodeUrlFilter());
+		}
 	}
 
 	private ConcurrentSessionFilter createConcurrencyFilter(H http) {
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index fdd80b70d1..6b8b3ff36b 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -67,6 +67,7 @@ import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
 import org.springframework.security.web.session.ConcurrentSessionFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
 import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
@@ -178,6 +179,8 @@ class HttpConfigurationBuilder {
 
 	private BeanDefinition csrfFilter;
 
+	private BeanDefinition disableUrlRewriteFilter;
+
 	private BeanDefinition wellKnownChangePasswordRedirectFilter;
 
 	private BeanMetadataElement csrfLogoutHandler;
@@ -203,6 +206,7 @@ class HttpConfigurationBuilder {
 		String createSession = element.getAttribute(ATT_CREATE_SESSION);
 		this.sessionPolicy = !StringUtils.hasText(createSession) ? SessionCreationPolicy.IF_REQUIRED
 				: createPolicy(createSession);
+		createDisableEncodeUrlFilter();
 		createCsrfFilter();
 		createSecurityPersistence();
 		createSessionManagementFilters();
@@ -318,10 +322,6 @@ class HttpConfigurationBuilder {
 
 	private void createSecurityContextRepository() {
 		String repoRef = this.httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
-		String disableUrlRewriting = this.httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
-		if (!StringUtils.hasText(disableUrlRewriting)) {
-			disableUrlRewriting = "true";
-		}
 		if (!StringUtils.hasText(repoRef)) {
 			BeanDefinitionBuilder contextRepo;
 			if (this.sessionPolicy == SessionCreationPolicy.STATELESS) {
@@ -339,7 +339,7 @@ class HttpConfigurationBuilder {
 				default:
 					contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
 				}
-				if ("true".equals(disableUrlRewriting)) {
+				if (isDisableUrlRewriting()) {
 					contextRepo.addPropertyValue("disableUrlRewriting", Boolean.TRUE);
 				}
 			}
@@ -351,6 +351,11 @@ class HttpConfigurationBuilder {
 		this.contextRepoRef = new RuntimeBeanReference(repoRef);
 	}
 
+	private boolean isDisableUrlRewriting() {
+		String disableUrlRewriting = this.httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
+		return !"false".equals(disableUrlRewriting);
+	}
+
 	private void createSecurityContextHolderFilter() {
 		BeanDefinitionBuilder filter = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextHolderFilter.class);
 		filter.addConstructorArgValue(this.contextRepoRef);
@@ -717,6 +722,12 @@ class HttpConfigurationBuilder {
 
 	}
 
+	private void createDisableEncodeUrlFilter() {
+		if (isDisableUrlRewriting()) {
+			this.disableUrlRewriteFilter = new RootBeanDefinition(DisableEncodeUrlFilter.class);
+		}
+	}
+
 	private void createCsrfFilter() {
 		Element elmt = DomUtils.getChildElementByTagName(this.httpElt, Elements.CSRF);
 		this.csrfParser = new CsrfBeanDefinitionParser();
@@ -756,6 +767,9 @@ class HttpConfigurationBuilder {
 
 	List<OrderDecorator> getFilters() {
 		List<OrderDecorator> filters = new ArrayList<>();
+		if (this.disableUrlRewriteFilter != null) {
+			filters.add(new OrderDecorator(this.disableUrlRewriteFilter, SecurityFilters.DISABLE_ENCODE_URL_FILTER));
+		}
 		if (this.cpf != null) {
 			filters.add(new OrderDecorator(this.cpf, SecurityFilters.CHANNEL_FILTER));
 		}
diff --git a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
index fb79092c0a..f5ed228938 100644
--- a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
+++ b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
@@ -29,6 +29,8 @@ enum SecurityFilters {
 
 	FIRST(Integer.MIN_VALUE),
 
+	DISABLE_ENCODE_URL_FILTER,
+
 	CHANNEL_FILTER,
 
 	SECURITY_CONTEXT_FILTER,
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
index b54f8b7d43..04f5c204e5 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
@@ -1290,4 +1290,4 @@ position =
 	## The explicit position at which the custom-filter should be placed in the chain. Use if you are replacing a standard filter.
 	attribute position {named-security-filter}
 
-named-security-filter = "FIRST" | "CHANNEL_FILTER" | "SECURITY_CONTEXT_FILTER" | "CONCURRENT_SESSION_FILTER" | "WEB_ASYNC_MANAGER_FILTER" | "HEADERS_FILTER" | "CORS_FILTER" | "SAML2_LOGOUT_REQUEST_FILTER" | "SAML2_LOGOUT_RESPONSE_FILTER" | "CSRF_FILTER" | "SAML2_LOGOUT_FILTER" | "LOGOUT_FILTER" | "OAUTH2_AUTHORIZATION_REQUEST_FILTER" | "SAML2_AUTHENTICATION_REQUEST_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "OAUTH2_LOGIN_FILTER" | "SAML2_AUTHENTICATION_FILTER" | "FORM_LOGIN_FILTER" | "LOGIN_PAGE_FILTER" |"LOGOUT_PAGE_FILTER" | "DIGEST_AUTH_FILTER" | "BEARER_TOKEN_AUTH_FILTER" | "BASIC_AUTH_FILTER" | "REQUEST_CACHE_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "JAAS_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER" | "WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER" | "SESSION_MANAGEMENT_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
+named-security-filter = "FIRST" | "DISABLE_ENCODE_URL_FILTER" | "CHANNEL_FILTER" | "SECURITY_CONTEXT_FILTER" | "CONCURRENT_SESSION_FILTER" | "WEB_ASYNC_MANAGER_FILTER" | "HEADERS_FILTER" | "CORS_FILTER" | "SAML2_LOGOUT_REQUEST_FILTER" | "SAML2_LOGOUT_RESPONSE_FILTER" | "CSRF_FILTER" | "SAML2_LOGOUT_FILTER" | "LOGOUT_FILTER" | "OAUTH2_AUTHORIZATION_REQUEST_FILTER" | "SAML2_AUTHENTICATION_REQUEST_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "OAUTH2_LOGIN_FILTER" | "SAML2_AUTHENTICATION_FILTER" | "FORM_LOGIN_FILTER" | "LOGIN_PAGE_FILTER" |"LOGOUT_PAGE_FILTER" | "DIGEST_AUTH_FILTER" | "BEARER_TOKEN_AUTH_FILTER" | "BASIC_AUTH_FILTER" | "REQUEST_CACHE_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "JAAS_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER" | "WELL_KNOWN_CHANGE_PASSWORD_REDIRECT_FILTER" | "SESSION_MANAGEMENT_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST"
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
index 9c6937292f..52e8d75f63 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
@@ -3631,6 +3631,7 @@
   <xs:simpleType name="named-security-filter">
       <xs:restriction base="xs:token">
          <xs:enumeration value="FIRST"/>
+         <xs:enumeration value="DISABLE_ENCODE_URL_FILTER"/>
          <xs:enumeration value="CHANNEL_FILTER"/>
          <xs:enumeration value="SECURITY_CONTEXT_FILTER"/>
          <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistrationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistrationTests.java
index fa48a0074e..dd4cbd47f6 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistrationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistrationTests.java
@@ -52,7 +52,7 @@ public class FilterOrderRegistrationTests {
 
 	@Test
 	public void putWhenPredefinedFilterThenDoesNotOverride() {
-		int position = 100;
+		int position = 200;
 		Integer predefinedFilterOrderBefore = this.filterOrderRegistration.getOrder(ChannelProcessingFilter.class);
 		this.filterOrderRegistration.put(MyFilter.class, position);
 		Integer myFilterOrder = this.filterOrderRegistration.getOrder(MyFilter.class);
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
index cd950d4258..0874cd0d02 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
@@ -37,6 +37,7 @@ import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
@@ -50,19 +51,26 @@ import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -294,6 +302,46 @@ public class SessionManagementConfigurerTests {
 		verifyNoInteractions(SessionRegistryTwoBeansConfig.SESSION_REGISTRY_TWO);
 	}
 
+	@Test
+	public void whenEnableSessionUrlRewritingTrueThenEncodeNotInvoked() throws Exception {
+		this.spring.register(EnableUrlRewriteConfig.class).autowire();
+		// @formatter:off
+		this.mvc = MockMvcBuilders.webAppContextSetup(this.spring.getContext())
+			.addFilters((request, response, chain) -> {
+				HttpServletResponse responseToSpy = spy((HttpServletResponse) response);
+				chain.doFilter(request, responseToSpy);
+				verify(responseToSpy, atLeastOnce()).encodeRedirectURL(any());
+				verify(responseToSpy, atLeastOnce()).encodeRedirectUrl(any());
+				verify(responseToSpy, atLeastOnce()).encodeURL(any());
+				verify(responseToSpy, atLeastOnce()).encodeUrl(any());
+			})
+			.apply(springSecurity())
+			.build();
+		// @formatter:on
+
+		this.mvc.perform(get("/")).andExpect(content().string("encoded"));
+	}
+
+	@Test
+	public void whenDefaultThenEncodeNotInvoked() throws Exception {
+		this.spring.register(DefaultUrlRewriteConfig.class).autowire();
+		// @formatter:off
+		this.mvc = MockMvcBuilders.webAppContextSetup(this.spring.getContext())
+			.addFilters((request, response, chain) -> {
+				HttpServletResponse responseToSpy = spy((HttpServletResponse) response);
+				chain.doFilter(request, responseToSpy);
+				verify(responseToSpy, never()).encodeRedirectURL(any());
+				verify(responseToSpy, never()).encodeRedirectUrl(any());
+				verify(responseToSpy, never()).encodeURL(any());
+				verify(responseToSpy, never()).encodeUrl(any());
+			})
+			.apply(springSecurity())
+			.build();
+		// @formatter:on
+
+		this.mvc.perform(get("/")).andExpect(content().string("encoded"));
+	}
+
 	@EnableWebSecurity
 	static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter {
 
@@ -568,4 +616,49 @@ public class SessionManagementConfigurerTests {
 
 	}
 
+	@EnableWebSecurity
+	static class DefaultUrlRewriteConfig {
+
+		@Bean
+		DefaultSecurityFilterChain configure(HttpSecurity http) throws Exception {
+			return http.build();
+		}
+
+		@Bean
+		EncodesUrls encodesUrls() {
+			return new EncodesUrls();
+		}
+
+	}
+
+	@EnableWebSecurity
+	static class EnableUrlRewriteConfig {
+
+		@Bean
+		DefaultSecurityFilterChain configure(HttpSecurity http) throws Exception {
+			http.sessionManagement((sessions) -> sessions.enableSessionUrlRewriting(true));
+			return http.build();
+		}
+
+		@Bean
+		EncodesUrls encodesUrls() {
+			return new EncodesUrls();
+		}
+
+	}
+
+	@RestController
+	static class EncodesUrls {
+
+		@RequestMapping("/")
+		String encoded(HttpServletResponse response) {
+			response.encodeURL("/foo");
+			response.encodeUrl("/foo");
+			response.encodeRedirectURL("/foo");
+			response.encodeRedirectUrl("/foo");
+			return "encoded";
+		}
+
+	}
+
 }
diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
index 6a5293fb9d..e1b327d6c8 100644
--- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
@@ -102,6 +102,7 @@ import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
 import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
@@ -119,6 +120,8 @@ import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willAnswer;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -538,6 +541,28 @@ public class MiscHttpConfigTests {
 		assertThat(response.getRedirectedUrl()).isEqualTo("http://localhost/login");
 	}
 
+	@Test
+	public void configureWhenUsingDisableUrlRewritingAndCustomRepositoryThenRedirectIsNotEncodedByResponse()
+			throws IOException, ServletException {
+		this.spring.configLocations(xml("DisableUrlRewriting-NullSecurityContextRepository")).autowire();
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletResponse responseToSpy = spy(new MockHttpServletResponse());
+		FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
+		proxy.doFilter(request, responseToSpy, (req, resp) -> {
+			HttpServletResponse httpResponse = (HttpServletResponse) resp;
+			httpResponse.encodeUrl("/");
+			httpResponse.encodeURL("/");
+			httpResponse.encodeRedirectUrl("/");
+			httpResponse.encodeRedirectURL("/");
+			httpResponse.getWriter().write("encodeRedirect");
+		});
+		verify(responseToSpy, never()).encodeRedirectURL(any());
+		verify(responseToSpy, never()).encodeRedirectUrl(any());
+		verify(responseToSpy, never()).encodeURL(any());
+		verify(responseToSpy, never()).encodeUrl(any());
+		assertThat(responseToSpy.getContentAsString()).isEqualTo("encodeRedirect");
+	}
+
 	@Test
 	public void configureWhenUserDetailsServiceInParentContextThenLocatesSuccessfully() {
 		assertThatExceptionOfType(BeansException.class).isThrownBy(
@@ -751,6 +776,7 @@ public class MiscHttpConfigTests {
 
 	private void assertThatFiltersMatchExpectedAutoConfigList(String url) {
 		Iterator<Filter> filters = getFilters(url).iterator();
+		assertThat(filters.next()).isInstanceOf(DisableEncodeUrlFilter.class);
 		assertThat(filters.next()).isInstanceOf(SecurityContextPersistenceFilter.class);
 		assertThat(filters.next()).isInstanceOf(WebAsyncManagerIntegrationFilter.class);
 		assertThat(filters.next()).isInstanceOf(HeaderWriterFilter.class);
diff --git a/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DisableUrlRewriting-NullSecurityContextRepository.xml b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DisableUrlRewriting-NullSecurityContextRepository.xml
new file mode 100644
index 0000000000..f3eae6a3a3
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-DisableUrlRewriting-NullSecurityContextRepository.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" disable-url-rewriting="true" security-context-repository-ref="securityContextRepository">
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+	<b:bean id="securityContextRepository" class="org.springframework.security.web.context.NullSecurityContextRepository"/>
+	<b:import resource="userservice.xml"/>
+</b:beans>
diff --git a/docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc b/docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc
index 7d8f6db55b..b901b567b5 100644
--- a/docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc
+++ b/docs/modules/ROOT/pages/servlet/configuration/xml-namespace.adoc
@@ -270,6 +270,10 @@ The filters, aliases, and namespace elements and attributes that create the filt
 |===
 | Alias | Filter Class | Namespace Element or Attribute
 
+| DISABLE_ENCODE_URL_FILTER
+| `DisableEncodeUrlFilter`
+| `http@disable-url-rewriting`
+
 |  CHANNEL_FILTER
 | `ChannelProcessingFilter`
 | `http/intercept-url@requires-channel`
diff --git a/web/src/main/java/org/springframework/security/web/session/DisableEncodeUrlFilter.java b/web/src/main/java/org/springframework/security/web/session/DisableEncodeUrlFilter.java
new file mode 100644
index 0000000000..2b15fa0f07
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/session/DisableEncodeUrlFilter.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.session;
+
+import java.io.IOException;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponseWrapper;
+
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * Disables encoding URLs using the {@link HttpServletResponse} to prevent including the
+ * session id in URLs which is not considered URL because the session id can be leaked in
+ * things like HTTP access logs.
+ *
+ * @author Rob Winch
+ * @since 5.7
+ */
+public class DisableEncodeUrlFilter extends OncePerRequestFilter {
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+		filterChain.doFilter(request, new DisableEncodeUrlResponseWrapper(response));
+	}
+
+	/**
+	 * Disables URL rewriting for the {@link HttpServletResponse} to prevent including the
+	 * session id in URLs which is not considered URL because the session id can be leaked
+	 * in things like HTTP access logs.
+	 *
+	 * @author Rob Winch
+	 * @since 5.7
+	 */
+	private static final class DisableEncodeUrlResponseWrapper extends HttpServletResponseWrapper {
+
+		/**
+		 * Constructs a response adaptor wrapping the given response.
+		 * @param response the {@link HttpServletResponse} to be wrapped.
+		 * @throws IllegalArgumentException if the response is null
+		 */
+		private DisableEncodeUrlResponseWrapper(HttpServletResponse response) {
+			super(response);
+		}
+
+		@Override
+		public String encodeRedirectUrl(String url) {
+			return url;
+		}
+
+		@Override
+		public String encodeRedirectURL(String url) {
+			return url;
+		}
+
+		@Override
+		public String encodeUrl(String url) {
+			return url;
+		}
+
+		@Override
+		public String encodeURL(String url) {
+			return url;
+		}
+
+	}
+
+}
diff --git a/web/src/test/java/org/springframework/security/web/session/DisableEncodeUrlFilterTests.java b/web/src/test/java/org/springframework/security/web/session/DisableEncodeUrlFilterTests.java
new file mode 100644
index 0000000000..b53ac696dc
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/session/DisableEncodeUrlFilterTests.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.session;
+
+import java.util.function.Consumer;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import static org.mockito.Mockito.verifyNoInteractions;
+
+/**
+ * @author Rob Winch
+ */
+@ExtendWith(MockitoExtension.class)
+class DisableEncodeUrlFilterTests {
+
+	@Mock
+	private HttpServletRequest request;
+
+	@Mock
+	private HttpServletResponse response;
+
+	private DisableEncodeUrlFilter filter = new DisableEncodeUrlFilter();
+
+	@Test
+	void doFilterDisablesEncodeURL() throws Exception {
+		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeURL("/"));
+	}
+
+	@Test
+	void doFilterDisablesEncodeUrl() throws Exception {
+		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeUrl("/"));
+	}
+
+	@Test
+	void doFilterDisablesEncodeRedirectURL() throws Exception {
+		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeRedirectURL("/"));
+	}
+
+	@Test
+	void doFilterDisablesEncodeRedirectUrl() throws Exception {
+		verifyDoFilterDoesNotInteractWithResponse((httpResponse) -> httpResponse.encodeRedirectUrl("/"));
+	}
+
+	private void verifyDoFilterDoesNotInteractWithResponse(Consumer<HttpServletResponse> toInvoke) throws Exception {
+		this.filter.doFilter(this.request, this.response, (request, response) -> {
+			HttpServletResponse httpResponse = (HttpServletResponse) response;
+			toInvoke.accept(httpResponse);
+		});
+		verifyNoInteractions(this.response);
+	}
+
+}