Spring Security SEC-3182: Inspect redirected URLs through the filter chain

Takuya Iwatsuka (Migrated from SEC-3182) said:

We have a request for a new feature. Briefly, it is that whenever redirected by applications, the target URLs are checked through the filter chain.

We use a custom AuthenticationHandler to achieve the requirements below. - specify target URLs of redirect after authentication success using request parameter
- restrict the URLs to be context relative for security reasons

Generally speaking, this kind of check is necessary not only after authentication success, but also for any redirect. And we are sure that this feature should be provided by Spring Security. Our proposal is that the filter chain inspects the target URLs. Though there may be several possible means to do so, using HMAC signing is the best way as far as we know. ( cf. [http://bnbsec.blogspot.jp/2015/03/fixing-open-redirect.html] )

We show our custom AuthenticationHandler just for reference. But we would like to have more general function that covers other than authentication. ( [https://github.com/terasolunaorg/terasoluna-gfw/blob/master/terasoluna-gfw-security-web/src/main/java/org/terasoluna/gfw/security/web/redirect/RedirectAuthenticationHandler.java])

Comment From: sjohnr

Closing this issue along with associated pull request. See comment on #4074.