SEC-2177: Striping off all leading schemes

Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.

web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java

@@ -54,8 +54,9 @@ public class DefaultRedirectStrategy implements RedirectStrategy {
             return url;
         }
 
-        // Calculate the relative URL from the fully qualified URL, minus the scheme and base context.
-        url = url.substring(url.indexOf("://") + 3); // strip off scheme
+        // Calculate the relative URL from the fully qualified URL, minus the last
+        // occurrence of the scheme and base context.
+        url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme
         url = url.substring(url.indexOf(contextPath) + contextPath.length());
 
         if (url.length() > 1 && url.charAt(0) == '/') {

web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java

@@ -24,4 +24,17 @@ public class DefaultRedirectStrategyTests {
 
         assertEquals("remainder", response.getRedirectedUrl());
     }
+
+    @Test
+    public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly() throws Exception {
+        DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+        rds.setContextRelative(true);
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setContextPath("/context");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        rds.sendRedirect(request, response, "http://http://context.blah.com/context/remainder");
+
+        assertEquals("remainder", response.getRedirectedUrl());
+    }
 }