diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java index 48a1b38996..b0fcc15e5c 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java @@ -50,13 +50,11 @@ import org.springframework.util.StringUtils; */ public abstract class AbstractAuthenticationTargetUrlRequestHandler { - public static final String DEFAULT_TARGET_PARAMETER = "spring-security-redirect"; protected final Log logger = LogFactory.getLog(this.getClass()); - private String targetUrlParameter = DEFAULT_TARGET_PARAMETER; + private String targetUrlParameter = null; private String defaultTargetUrl = "/"; private boolean alwaysUseDefaultTargetUrl = false; private boolean useReferer = false; - private boolean useTargetUrlparameter = false; private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); protected AbstractAuthenticationTargetUrlRequestHandler() { @@ -90,7 +88,7 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler { // Check for the parameter and use that if available String targetUrl = null; - if (useTargetUrlparameter) { + if (targetUrlParameter != null ) { targetUrl = request.getParameter(targetUrlParameter); if (StringUtils.hasText(targetUrl)) { @@ -157,10 +155,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler { } /** - * The current request will be checked for this parameter before and the value used as the target URL if present. + * If this property is set, the current request will be checked for this a parameter with this name + * and the value used as the target URL if present. * - * @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults - * to "spring-security-redirect". + * @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults + * to null. */ public void setTargetUrlParameter(String targetUrlParameter) { Assert.hasText("targetUrlParameter canot be null or empty"); @@ -189,13 +188,4 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler { this.useReferer = useReferer; } - /** - * If set to {@code true} the request parameter {@code targetUrlParameter} will be used (if available). Defaults - * to {@code false}. - * - * @param useTargetUrlparameter - */ - public void setUseTargetUrlparameter(boolean useTargetUrlparameter) { - this.useTargetUrlparameter = useTargetUrlparameter; - } } diff --git a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java index 591efdd32d..39f1d73aa5 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java @@ -42,20 +42,34 @@ public class SimpleUrlAuthenticationSuccessHandlerTests { * SEC-213 */ @Test - public void targetUrlParameterIsUsedIfPresent() throws Exception { + public void targetUrlParameterIsUsedIfPresentAndParameterNameIsSet() throws Exception { SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget"); - ash.setUseTargetUrlparameter(true); - ash.setTargetUrlParameter("targetUrl"); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); - request.setParameter("targetUrl", "/target"); ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + assertEquals("/defaultTarget", response.getRedirectedUrl()); + // Try with parameter set + ash.setTargetUrlParameter("targetUrl"); + response = new MockHttpServletResponse(); + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); assertEquals("/target", response.getRedirectedUrl()); } + @Test + public void refererIsUsedIfUseRefererIsSet() throws Exception { + SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget"); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + ash.setUseReferer(true); + request.addHeader("Referer", "http://www.springsource.com/"); + + ash.onAuthenticationSuccess(request, response, mock(Authentication.class)); + assertEquals("http://www.springsource.com/", response.getRedirectedUrl()); + } + /** * SEC-297 fix. */