Spring Security SEC-2811: portResolver's portMapper is not updated in AbstractRetryEntryPoint, LoginUrlAuthenticationEntryPoint, and HttpSessionRequestCache

Alex Pogrebnyak (Migrated from SEC-2811) said:

I checked the bug exists in the latest revision on GitHub.

These classes: - org.springframework.security.web.access.channel.AbstractRetryEntryPoint - org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint - org.springframework.security.web.savedrequest.HttpSessionRequestCache

all create a default instance of PortResolverImpl.

PortResolverImpl creates a default instance of PortMapper.

When I configure a custom instance of PortMapper in my application, it does not propagate to these PortResolvers, which are extensively used by classes in question.

Comment From: jzheaux

Given https://github.com/spring-projects/spring-security/issues/12971, it's not expected that PortResolverImpl would ever return anything other than ServletRequest#getServerPort at this point. Because of that, I believe this issue is no longer relevant.

If there is something I've missed, please reach out and we can reopen.