|
This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.3! |
Web Migrations
Favor Relative URIs
When redirecting to a login endpoint, Spring Security has favored absolute URIs in the past. For example, if you set your login page like so:
-
Java
-
Kotlin
-
Xml
http
// ...
.formLogin((form) -> form.loginPage("/my-login"))
// ...http {
formLogin {
loginPage = "/my-login"
}
}<http ...>
<form-login login-page="/my-login"/>
</http>then when redirecting to /my-login Spring Security would use a Location: like the following:
302 Found
// ...
Location: https://myapp.example.org/my-loginHowever, this is no longer necessary given that the RFC is was based on is now obsolete.
In Spring Security 7, this is changed to use a relative URI like so:
302 Found
// ...
Location: /my-loginMost applications will not notice a difference.
However, in the event that this change causes problems, you can switch back to the Spring Security 6 behavior by setting the favorRelativeUrls value:
-
Java
-
Kotlin
-
Xml
LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/my-login");
entryPoint.setFavorRelativeUris(false);
http
// ...
.exceptionHandling((exceptions) -> exceptions.authenticaitonEntryPoint(entryPoint))
// ...LoginUrlAuthenticationEntryPoint entryPoint = LoginUrlAuthenticationEntryPoint("/my-login")
entryPoint.setFavorRelativeUris(false)
http {
exceptionHandling {
authenticationEntryPoint = entryPoint
}
}<http entry-point-ref="myEntryPoint">
<!-- ... -->
</http>
<b:bean id="myEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:property name="favorRelativeUris" value="true"/>
</b:bean>
