Under below condition, the method ignoresthis.useReferer. I wonder if it is done on purpose.
- isAlwaysUseDefaultTargetUrl() is false
- this.targetUrlParameter is not null
- request.getParameter(this.targetUrlParameter) is whitespace only
Would anyone help to check?
https://github.com/spring-projects/spring-security/blob/8aa7029d078cdad34b539cbe54e3c4fb8b961711/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java#L106-L135
Comment From: jzheaux
That is correct, @deeaitche. The presence of the target URL parameter in the request takes precedence, whether it is empty or not. For example:
https://example.org?param=https://example.org/target-> usehttps://example.org/targethttps://example.org?param-> use defaulthttps://example.org-> use referrer, if use referrer is truehttps://example.org-> use default, if use referrer is false
The clarity of this code could be improved, I think as well as introducing a unit test to clarify this behavior. Would you be interested in submitting a PR to make the code clearer and also add a unit test?
Comment From: dkodippily
@jzheaux can i work on this ?
Comment From: dkodippily
Hi @jzheaux , I'm really interested in raising a PR for this, is this still available?
Comment From: jzheaux
Sure, @dkodippily! The issue is yours.
Comment From: dkodippily
Hi @jzheaux raised a PR with unit tests to confirm the behaviour #12468 , we'll check on improvements/refactoring after this.
Comment From: dkodippily
Hi @jzheaux , Thanks for the feedback. Refactored and squashed the commits.