From f08ca4e6887464249560e77a4eee92e885c15f21 Mon Sep 17 00:00:00 2001
From: Astushi Yoshikawa <yoshikawaa@pm.nttdata.co.jp>
Date: Thu, 16 Apr 2020 20:12:03 +0900
Subject: [PATCH] Throw exception if URL does not include context path when
 context relative

Issue: gh-8399
---
 .../security/web/DefaultRedirectStrategy.java               | 2 +-
 .../security/web/DefaultRedirectStrategyTests.java          | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
index 5d22355b0a..983f5ce29c 100644
--- a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
@@ -74,7 +74,7 @@ public class DefaultRedirectStrategy implements RedirectStrategy {
 		}
 
 		if (!url.contains(contextPath)) {
-			return "";
+			throw new IllegalArgumentException("The fully qualified URL does not include context path.");
 		}
 
 		// Calculate the relative URL from the fully qualified URL, minus the last
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
index 94cb30b03d..5ef1d74fe7 100644
--- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -57,8 +57,8 @@ public class DefaultRedirectStrategyTests {
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
 
-	@Test
-	public void contextRelativeShouldRedirectToRootIfURLDoesNotContainContextPath()
+	@Test(expected = IllegalArgumentException.class)
+	public void contextRelativeShouldThrowExceptionIfURLDoesNotContainContextPath()
 		throws Exception {
 		DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
 		rds.setContextRelative(true);
@@ -68,7 +68,5 @@ public class DefaultRedirectStrategyTests {
 
 		rds.sendRedirect(request, response,
 			"https://redirectme.somewhere.else");
-
-		assertThat(response.getRedirectedUrl()).isEqualTo("");
 	}
 }