Using relative redirect in spring boot fails

Question

Scenario

I have an spring-boot application which is accessed using context instead domain root:

domain root : http://app.com
my app : http://app.com/organization_a (redirects me to my app login)
my app login : http://app.com/organization_a/login (form is loaded perfectly)

Problem

After success login, using the classic configuration:

formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("/my_form")

redirects me to : http://app.com/my_form throwing an error because the url must be : http://app.com/organization_a/my_form

So, I tried to use relative url (note the dot before /my_form) ./my_form instead /my_form

formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("./my_form")

And spring throw me this error : defaultTarget must start with '/' or with 'http(s) due to this validation in spring-security-web jar:

//org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler
public void setDefaultTargetUrl(String defaultTargetUrl) {
    Assert.isTrue(UrlUtils.isValidRedirectUrl(defaultTargetUrl),
            "defaultTarget must start with '/' or with 'http(s)'");
    this.defaultTargetUrl = defaultTargetUrl;
}

So, I can say: Classic default success url method does not allow to use relative urls, because if I use root domain , works like charm as in my localhost.

Relative vs Absolute urls

More info here

I had similar troubles with html and assets in java an other languages like php and nodejs.

Basically if you are using context instead a domain root for your app, you must need to change this:

<link href="/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet"/>

to

<link href="./vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet"/>

Note the dot before /vendor/bootstrap/...

Without this dot, your assets will not download because the browser request to urls like :

When should it be:

Current workarounds

Use domain or subdomain instead context.
- This is laborious because I will need to open a ticket to my ISP for every new app.
Put the entire url in defaultSuccessUrl method.
- This is awful because my app will not be portable due to I must set the absolute url before build:

    formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("http://app.com/organization_a/my_form")

Question

Is there a way to use relative redirect in spring security?

I am using one of the latest spring boot versions: 2.1.7.RELEASE

Any help or comment are appreciated.

Thanks

You already checked out the code and according to the code this is not possible. — Simon Martinelli, Aug 15 '19 at 08:02
I trying with AuthenticationSuccessHandler. I feel that I am close. — JRichardsz, Aug 15 '19 at 14:45

score 3 · Answer 1 · answered Mar 31 '21 at 14:12

3

I managed to enable relative redirects via the following spring properties:

server:
  tomcat:
    use-relative-redirects: true

answered Mar 31 '21 at 14:12

Aaron

412
1
7
11