Use relative URLs in /login redirects #14714
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spring-projects-issues
added
the
status: waiting-for-triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR
Closes #7273
Motivation
I noticed inconsistency in all tests that are using
andExpect(MockMvcResultMatchers.redirectedUrl("/xyz")). I was able to test everything using relative urls with one exception -/login- absolute paths had to be used there. Same pattern is in the whole repo -/loginredirect asserts are usinghttp://localhost/login(or similar).LoginUrlAuthenticationEntryPointis responsible - namelybuildRedirectUrlToLoginPagethat always constructs absolute path.There are probably no other than historical reasons for this behavior (as mentioned in #7273). At time of introducing the the class, absolute URI was required by RFC 2616. The RFC is obsoleted by RFC 7231 since 2014. RFC 7231 allows relative URIs (current RFC 9110 also allows relative URIs).
Expected behavior should be that
LoginUrlAuthenticationEntryPointwould override relative path to absolute only in cases where it's necessary. That is whenforceHttpsis set to true and incoming requests arehttp.Change
After this change,
LoginUrlAuthenticationEntryPointwill use relative paths if possible (http -> http, https -> https would use relative paths). However ifforceHttpsis set to true, and incoming request ishttp, it'll be redirected using absolute path (https://example.com/login).More complicated flows
When incoming request is
http,forceHttpsistrue, butportResolveris not able to resolve ports correctly: previous behavior was to fall back to redirect tohttp(using absolute path) and log a warning. After the change, the warning is still logged, but relative path will be used.Potentially problematic is one corner case - when we have incoming
httpsrequest, but using a "matching"httpport (nothttps!). Let's say we have8080forhttpand8443forhttps- what should the behavior be forhttps://example.com:8080/login? Previously app redirected tohttps://example.com:8443/login- but only in case when a port "matching"httpport was used. If different port was used (e.g. 8081), app would redirect to originalhttps://example.com:8081/login. I think it was unwanted side effect. After the change, the special behavior is removed. It does not matter if port "matches"httpwhen accessing viahttps. Let me know if I should change this.Tests
As a result of the small change, many asserts in many tests had to be updated. Behavior is covered by tests (e.g.
testHttpsOperationFromOriginalHttpUrltestHttpsOperationFromOriginalHttpsUrl,testOperationWhenHttpsRequestsButHttpsPortUnknowninLoginUrlAuthenticationEntryPointTests).I only updated
testHttpsOperationFromOriginalHttpsUrlto cover the corner case flow explicitly.