Skip to content

RequestedUrlRedirectInvalidSessionStrategy doesn't take servlet context path into account #12795

Closed
@mches

Description

@mches

Describe the bug
When using RequestedUrlRedirectInvalidSessionStrategy as the invalid session strategy within the session management of the security filter chain, with a non-empty servlet context path configured, the context path is duplicated in the redirect URLs. For example, if the context path is "/app" and the requested URI is "/app/requested", then the redirect URL becomes "/app/app/requested".

To Reproduce
Configure a non-empty context path such as "/app". Set an instance of RequestedUrlRedirectInvalidSessionStrategy as the invalid session strategy in the security filter chain. Access the app at "http://localhost:8080/app/requested" with an invalid session ID. Get redirected to "/app/app/requested".

Expected behavior
The redirect should not duplicate the context path segments. It should be the same as the request URI, "/app/requested".

Sample

5.7.x...mches:spring-security:gh-12795

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions