Spring Security how about adding query string back to form login url in LoginUrlAuthenticationEntryPoint.java

https://github.com/spring-projects/spring-security/blob/33495441b56ec6ce9e85b5e824460b2b4984f7e6/web/src/main/java/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.java#L157

Is it a good idea to add query string to line 157 as well as line 188 (the redirect http to https logic)? Or, is there a reason why it was thrown away?

It makes sense the query string is needed when we redirect the request from http to https, we need keep them.

But if query string is added to https, then http should also be added, right?

If there is something worth to keep while using https, why should it be thrown away in http?

People(me) might(really) want to keep the client_id query string within the form login request and filter malicious login request by client id or show a different login page according to it.With this line added, these could be much easier and I don't see the downsides, cause query string doesn't harm.

Let's talk about it please.

Comment From: jzheaux

Hi, @travisbikkle, thanks for the suggestion. What the code does is a little tricky, and maybe there is some value in making it clearer.

When this.forceHttps is true, the entry point re-requests the current request, just with https and then this code is exercised again. In other words, the reason the query string is preserved is because it is trying to replay the exact same request.

Once the scheme matches the configuration, though, this entry point redirects to the login page, and so there isn't necessarily a request to preserve.

If you want to have the request parameters passed along to your login page, then you can do this by extending LoginUrlAuthenticationEntryPoint#determineUrlToUseForThisRequest like so:

@Component
public class MyQueryStringPreservingEntryPoint extends LoginUrlAuthenticationEntryPoint {
    @Override 
    protected String determineUrlToUseForThisRequest(HttpServletRequest request, 
            HttpServletResponse response, AuthenticationException exception) {
        String loginForm = super.determinUrlToUseForThisRequest(request, response, exception);
        return UriComponentsBuilder.fromUriString(loginForm)
                .query(request.getQueryString()).toUriString();
    }
}

// ...

@Bean 
SecurityFilterChain webSecurity(HttpSecurity http, AuthenticationEntryPoint entryPoint) throws Exception {
    http
        // ...
        .exceptionHandling((exception) -> exception.authenticationEntryPoint(entryPoint));

    return http.build();
}