https://github.com/spring-projects/spring-security/blob/33495441b56ec6ce9e85b5e824460b2b4984f7e6/web/src/main/java/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.java#L157
Is it a good idea to add query string to line 157 as well as line 188 (the redirect http to https logic)?
It makes sense the query string is needed when we redirect the request from http to https, we need keep them.
But if query string is added to https, then http should also be added, right?
If there is something worth to keep while using https, why should it be thrown away in http?
People(me) might want to keep the client_id query string within the form login request and filter malicious login request by client id or show a different login page according to it.
With this line added, it could be much easier and I don't see the downsides, cause query string doesn't harm.
Let's talk about it please.
Comment From: jzheaux
Thanks again, @travisbikkle, for reaching out. Since I've already responded on your other issue, I'll close this as a duplicate of https://github.com/spring-projects/spring-security/issues/15742