From d26f40f0621ec111f11cd28eabb3a135dafb6b6a Mon Sep 17 00:00:00 2001 From: Michel Palourdio Date: Sat, 26 Nov 2016 13:08:34 +0100 Subject: [PATCH] DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path. --- .../security/web/DefaultRedirectStrategy.java | 4 ++++ .../web/DefaultRedirectStrategyTests.java | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java index 6537723fcc..5d22355b0a 100644 --- a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java +++ b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java @@ -73,6 +73,10 @@ public class DefaultRedirectStrategy implements RedirectStrategy { return url; } + if (!url.contains(contextPath)) { + return ""; + } + // Calculate the relative URL from the fully qualified URL, minus the last // occurrence of the scheme and base context. url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java index a32e509ffe..94cb30b03d 100644 --- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java +++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java @@ -56,4 +56,19 @@ public class DefaultRedirectStrategyTests { assertThat(response.getRedirectedUrl()).isEqualTo("remainder"); } + + @Test + public void contextRelativeShouldRedirectToRootIfURLDoesNotContainContextPath() + throws Exception { + DefaultRedirectStrategy rds = new DefaultRedirectStrategy(); + rds.setContextRelative(true); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setContextPath("/context"); + MockHttpServletResponse response = new MockHttpServletResponse(); + + rds.sendRedirect(request, response, + "https://redirectme.somewhere.else"); + + assertThat(response.getRedirectedUrl()).isEqualTo(""); + } }