Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-11-04 00:28:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/migration-7/web.adoc
Josh Cummings 3eeb4317f6 Add setFavorRelativeUris 
This places the new functionality behind a setting so that
we can remain passive until we can change the setting in
the next major release.

Issue gh-7273
2024-12-17 22:35:41 -07:00

105 lines
2.0 KiB
Plaintext
Raw Blame History

= Web Migrations
== Favor Relative URIs
When redirecting to a login endpoint, Spring Security has favored absolute URIs in the past.
For example, if you set your login page like so:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
http
// ...
.formLogin((form) -> form.loginPage("/my-login"))
// ...
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
http {
formLogin {
loginPage = "/my-login"
}
}
----
Xml::
+
[source,kotlin,role="secondary"]
----
<http ...>
<form-login login-page="/my-login"/>
</http>
----
======
then when redirecting to `/my-login` Spring Security would use a `Location:` like the following:
[source]
----
302 Found
// ...
Location: https://myapp.example.org/my-login
----
However, this is no longer necessary given that the RFC is was based on is now obsolete.
In Spring Security 7, this is changed to use a relative URI like so:
[source]
----
302 Found
// ...
Location: /my-login
----
Most applications will not notice a difference.
However, in the event that this change causes problems, you can switch back to the Spring Security 6 behavior by setting the `favorRelativeUrls` value:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/my-login");
entryPoint.setFavorRelativeUris(false);
http
// ...
.exceptionHandling((exceptions) -> exceptions.authenticaitonEntryPoint(entryPoint))
// ...
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
LoginUrlAuthenticationEntryPoint entryPoint = LoginUrlAuthenticationEntryPoint("/my-login")
entryPoint.setFavorRelativeUris(false)
http {
exceptionHandling {
authenticationEntryPoint = entryPoint
}
}
----
Xml::
+
[source,kotlin,role="secondary"]
----
<http entry-point-ref="myEntryPoint">
<!-- ... -->
</http>
<b:bean id="myEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:property name="favorRelativeUris" value="true"/>
</b:bean>
----
======
Reference in New Issue View Git Blame Copy Permalink