SEC-1648: Implemented Rob's suggestion to use a null value for the targetUrlParameter rather than a boolean property. It should thus only be used if this value is set.

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java

@@ -50,13 +50,11 @@ import org.springframework.util.StringUtils;
  */
 public abstract class AbstractAuthenticationTargetUrlRequestHandler {
 
-    public static final String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";
     protected final Log logger = LogFactory.getLog(this.getClass());
-    private String targetUrlParameter = DEFAULT_TARGET_PARAMETER;
+    private String targetUrlParameter = null;
     private String defaultTargetUrl = "/";
     private boolean alwaysUseDefaultTargetUrl = false;
     private boolean useReferer = false;
-    private boolean useTargetUrlparameter = false;
     private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
 
     protected AbstractAuthenticationTargetUrlRequestHandler() {
@@ -90,7 +88,7 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
         // Check for the parameter and use that if available
         String targetUrl = null;
 
-        if (useTargetUrlparameter) {
+        if (targetUrlParameter != null  ) {
             targetUrl = request.getParameter(targetUrlParameter);
 
             if (StringUtils.hasText(targetUrl)) {
@@ -157,10 +155,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
     }
 
     /**
-     * The current request will be checked for this parameter before and the value used as the target URL if present.
+     * If this property is set, the current request will be checked for this a parameter with this name
+     * and the value used as the target URL if present.
      *
-     *  @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults
-     *  to "spring-security-redirect".
+     * @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults
+     * to null.
      */
     public void setTargetUrlParameter(String targetUrlParameter) {
         Assert.hasText("targetUrlParameter canot be null or empty");
@@ -189,13 +188,4 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
         this.useReferer = useReferer;
     }
 
-    /**
-     * If set to {@code true} the request parameter {@code targetUrlParameter} will be used (if available). Defaults
-     * to {@code false}.
-     *
-     * @param useTargetUrlparameter
-     */
-    public void setUseTargetUrlparameter(boolean useTargetUrlparameter) {
-        this.useTargetUrlparameter = useTargetUrlparameter;
-    }
 }

web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java

@@ -42,20 +42,34 @@ public class SimpleUrlAuthenticationSuccessHandlerTests {
      * SEC-213
      */
     @Test
-    public void targetUrlParameterIsUsedIfPresent() throws Exception {
+    public void targetUrlParameterIsUsedIfPresentAndParameterNameIsSet() throws Exception {
         SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget");
-        ash.setUseTargetUrlparameter(true);
-        ash.setTargetUrlParameter("targetUrl");
         MockHttpServletRequest request = new MockHttpServletRequest();
         MockHttpServletResponse response = new MockHttpServletResponse();
-
         request.setParameter("targetUrl", "/target");
 
         ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
+        assertEquals("/defaultTarget", response.getRedirectedUrl());
 
+        // Try with parameter set
+        ash.setTargetUrlParameter("targetUrl");
+        response = new MockHttpServletResponse();
+        ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
         assertEquals("/target", response.getRedirectedUrl());
     }
 
+    @Test
+    public void refererIsUsedIfUseRefererIsSet() throws Exception {
+        SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget");
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+        ash.setUseReferer(true);
+        request.addHeader("Referer", "http://www.springsource.com/");
+
+        ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
+        assertEquals("http://www.springsource.com/", response.getRedirectedUrl());
+    }
+
     /**
      * SEC-297 fix.
      */