Favor Relative Redirects by Default

Closes gh-16300

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.java

@@ -87,7 +87,7 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.forwardedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrlPattern;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
@@ -175,7 +175,7 @@ public void configureWhenAuthenticationEntryPointSetAndRequestUnauthorizedThenRe
 		// @formatter:off
 		this.mockMvc.perform(get("/"))
 				.andExpect(status().is3xxRedirection())
-				.andExpect(redirectedUrlPattern("**/entry-point"));
+				.andExpect(redirectedUrl("/entry-point"));
 		// @formatter:on
 	}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java

@@ -78,7 +78,7 @@ public class DefaultLoginPageConfigurerTests {
 	@Test
 	public void getWhenFormLoginEnabledThenRedirectsToLoginPage() throws Exception {
 		this.spring.register(DefaultLoginPageConfig.class).autowire();
-		this.mvc.perform(get("/")).andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurerTests.java

@@ -214,8 +214,7 @@ public void getWhenCustomSecurityContextHolderStrategyThenUsed() throws Exceptio
 	@Test
 	public void getWhenUsingDefaultsAndUnauthenticatedThenRedirectsToLogin() throws Exception {
 		this.spring.register(DefaultHttpConfig.class).autowire();
-		this.mvc.perform(get("/").header(HttpHeaders.ACCEPT, "bogus/type"))
-			.andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/").header(HttpHeaders.ACCEPT, "bogus/type")).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java

@@ -181,7 +181,7 @@ public void requestProtectedWhenFormLoginConfiguredThenRedirectsToLogin() throws
 		// @formatter:off
 		this.mockMvc.perform(get("/private"))
 				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("http://localhost/login"));
+				.andExpect(redirectedUrl("/login"));
 		// @formatter:on
 	}
 
@@ -236,7 +236,7 @@ public void requestProtectedWhenFormLoginDefaultsInLambdaThenRedirectsToLogin()
 		// @formatter:off
 		this.mockMvc.perform(get("/private"))
 				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("http://localhost/login"));
+				.andExpect(redirectedUrl("/login"));
 		// @formatter:on
 	}
 
@@ -350,7 +350,7 @@ public void failureUrlWhenPermitAllAndFailureHandlerThenSecured() throws Excepti
 		// @formatter:off
 		this.mockMvc.perform(get("/login?error"))
 				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("http://localhost/login"));
+				.andExpect(redirectedUrl("/login"));
 		// @formatter:on
 	}
 
@@ -404,7 +404,7 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl(
-					"http://localhost/login?factor.type=password&factor.type=ott&factor.reason=missing&factor.reason=missing"));
+					"/login?factor.type=password&factor.type=ott&factor.reason=missing&factor.reason=missing"));
 		this.mockMvc
 			.perform(post("/ott/generate").param("username", "rod")
 				.with(user(user))
@@ -422,13 +422,13 @@ void requestWhenUnauthenticatedThenRequiresTwoSteps() throws Exception {
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor.type=password&factor.reason=missing"));
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=missing"));
 		user = PasswordEncodedUser.withUserDetails(user)
 			.authorities("profile:read", FactorGrantedAuthority.PASSWORD_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor.type=ott&factor.reason=missing"));
+			.andExpect(redirectedUrl("/login?factor.type=ott&factor.reason=missing"));
 		user = PasswordEncodedUser.withUserDetails(user)
 			.authorities("profile:read", FactorGrantedAuthority.PASSWORD_AUTHORITY,
 					FactorGrantedAuthority.OTT_AUTHORITY)
@@ -445,7 +445,7 @@ void requestWhenUnauthenticatedX509ThenRequiresTwoSteps() throws Exception {
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
 		this.mockMvc.perform(get("/profile").with(SecurityMockMvcRequestPostProcessors.x509("rod.cer")))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor.type=password&factor.reason=missing"));
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=missing"));
 		this.mockMvc
 			.perform(post("/login").param("username", "rod")
 				.param("password", "password")

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java

@@ -66,7 +66,7 @@ public class NamespaceHttpFormLoginTests {
 	@Test
 	public void formLoginWhenDefaultConfigurationThenMatchesNamespace() throws Exception {
 		this.spring.register(FormLoginConfig.class, UserDetailsServiceConfig.class).autowire();
-		this.mvc.perform(get("/")).andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(redirectedUrl("/login"));
 		this.mvc.perform(post("/login").with(csrf())).andExpect(redirectedUrl("/login?error"));
 		// @formatter:off
 		MockHttpServletRequestBuilder loginRequest = post("/login")
@@ -80,7 +80,7 @@ public void formLoginWhenDefaultConfigurationThenMatchesNamespace() throws Excep
 	@Test
 	public void formLoginWithCustomEndpointsThenBehaviorMatchesNamespace() throws Exception {
 		this.spring.register(FormLoginCustomConfig.class, UserDetailsServiceConfig.class).autowire();
-		this.mvc.perform(get("/")).andExpect(redirectedUrl("http://localhost/authentication/login"));
+		this.mvc.perform(get("/")).andExpect(redirectedUrl("/authentication/login"));
 		this.mvc.perform(post("/authentication/login/process").with(csrf()))
 			.andExpect(redirectedUrl("/authentication/login?failed"));
 		// @formatter:off
@@ -95,7 +95,7 @@ public void formLoginWithCustomEndpointsThenBehaviorMatchesNamespace() throws Ex
 	@Test
 	public void formLoginWithCustomHandlersThenBehaviorMatchesNamespace() throws Exception {
 		this.spring.register(FormLoginCustomRefsConfig.class, UserDetailsServiceConfig.class).autowire();
-		this.mvc.perform(get("/")).andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(redirectedUrl("/login"));
 		this.mvc.perform(post("/login").with(csrf())).andExpect(redirectedUrl("/custom/failure"));
 		verifyBean(WebAuthenticationDetailsSource.class).buildDetails(any(HttpServletRequest.class));
 		// @formatter:off

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceRememberMeTests.java

@@ -104,7 +104,7 @@ public void rememberMeLoginWhenUsingDefaultsThenMatchesNamespace() throws Except
 				.with(csrf())
 				.cookie(rememberMe);
 		this.mvc.perform(authenticationClassRequest)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn();
 		// @formatter:on
 	}
@@ -150,7 +150,7 @@ public void rememberMeLoginWhenKeyDeclaredThenMatchesNamespace() throws Exceptio
 		// @formatter:off
 		this.mvc.perform(somewhereRequest)
 				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("http://localhost/login"));
+				.andExpect(redirectedUrl("/login"));
 		MockHttpServletRequestBuilder loginWithRememberme = post("/login").with(rememberMeLogin());
 		Cookie withKey = this.mvc.perform(loginWithRememberme)
 				.andReturn()

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.java

@@ -240,7 +240,7 @@ public void getWhenRememberMeCookieAndLoggedOutThenRedirectsToLogin() throws Exc
 				.with(csrf())
 				.cookie(expiredRememberMeCookie);
 		// @formatter:on
-		this.mvc.perform(expiredRequest).andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(expiredRequest).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.java

@@ -90,7 +90,7 @@ public void getWhenBookmarkedUrlIsFaviconIcoThenPostAuthenticationRedirectsToRoo
 		this.spring.register(RequestCacheDefaultsConfig.class, DefaultSecurityConfig.class).autowire();
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(get("/favicon.ico"))
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -104,7 +104,7 @@ public void getWhenBookmarkedUrlIsFaviconPngThenPostAuthenticationRedirectsToRoo
 		this.spring.register(RequestCacheDefaultsConfig.class, DefaultSecurityConfig.class).autowire();
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(get("/favicon.png"))
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -120,7 +120,7 @@ public void getWhenBookmarkedRequestIsApplicationJsonThenPostAuthenticationRedir
 		MockHttpServletRequestBuilder request = get("/messages").header(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON);
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -140,7 +140,7 @@ public void getWhenBookmarkedRequestIsXRequestedWithThenPostAuthenticationRedire
 				.header("X-Requested-With", "XMLHttpRequest");
 		MockHttpSession session = (MockHttpSession) this.mvc
 				.perform(xRequestedWith)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -157,7 +157,7 @@ public void getWhenBookmarkedRequestIsTextEventStreamThenPostAuthenticationRedir
 				MediaType.TEXT_EVENT_STREAM);
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -174,7 +174,7 @@ public void getWhenBookmarkedRequestIsWebSocketThenPostAuthenticationRedirectsTo
 		MockHttpServletRequestBuilder request = get("/messages").header("Upgrade", "websocket");
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -191,7 +191,7 @@ public void getWhenBookmarkedRequestIsAllMediaTypeThenPostAuthenticationRemember
 		MockHttpServletRequestBuilder request = get("/messages").header(HttpHeaders.ACCEPT, MediaType.ALL);
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -205,7 +205,7 @@ public void getWhenBookmarkedRequestIsTextHtmlThenPostAuthenticationRemembers()
 		MockHttpServletRequestBuilder request = get("/messages").header(HttpHeaders.ACCEPT, MediaType.TEXT_HTML);
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -220,7 +220,7 @@ public void getWhenBookmarkedRequestIsChromeThenPostAuthenticationRemembers() th
 		MockHttpServletRequestBuilder request = get("/messages")
 				.header(HttpHeaders.ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -235,7 +235,7 @@ public void getWhenBookmarkedRequestIsRequestedWithAndroidThenPostAuthentication
 		MockHttpServletRequestBuilder request = get("/messages")
 				.header("X-Requested-With", "com.android");
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(request)
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();
@@ -315,7 +315,7 @@ public void getWhenPathPatternFactoryBeanThenFaviconIcoRedirectsToRoot() throws
 			.autowire();
 		// @formatter:off
 		MockHttpSession session = (MockHttpSession) this.mvc.perform(get("/favicon.ico"))
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn()
 				.getRequest()
 				.getSession();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

@@ -447,7 +447,7 @@ public void oauth2LoginWithOneClientConfiguredThenRedirectForAuthorization() thr
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/oauth2/authorization/google");
+		assertThat(this.response.getRedirectedUrl()).matches("/oauth2/authorization/google");
 	}
 
 	// gh-6802
@@ -457,7 +457,7 @@ public void oauth2LoginWithOneClientConfiguredAndFormLoginThenRedirectDefaultLog
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/login");
+		assertThat(this.response.getRedirectedUrl()).matches("/login");
 	}
 
 	// gh-5347
@@ -469,7 +469,7 @@ public void oauth2LoginWithOneClientConfiguredAndRequestFaviconNotAuthenticatedT
 		this.request = get(requestUri).build();
 		this.request.addHeader(HttpHeaders.ACCEPT, new MediaType("image", "*").toString());
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/login");
+		assertThat(this.response.getRedirectedUrl()).matches("/login");
 	}
 
 	// gh-5347
@@ -479,7 +479,7 @@ public void oauth2LoginWithMultipleClientsConfiguredThenRedirectDefaultLoginPage
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/login");
+		assertThat(this.response.getRedirectedUrl()).matches("/login");
 	}
 
 	// gh-6812
@@ -524,7 +524,7 @@ public void oauth2LoginWithOneAuthorizationCodeClientAndOtherClientsConfiguredTh
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/oauth2/authorization/google");
+		assertThat(this.response.getRedirectedUrl()).matches("/oauth2/authorization/google");
 	}
 
 	@Test
@@ -533,7 +533,7 @@ public void oauth2LoginWithCustomLoginPageThenRedirectCustomLoginPage() throws E
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/custom-login");
+		assertThat(this.response.getRedirectedUrl()).matches("/custom-login");
 	}
 
 	@Test
@@ -542,7 +542,7 @@ public void requestWhenOauth2LoginWithCustomLoginPageInLambdaThenRedirectCustomL
 		String requestUri = "/";
 		this.request = get(requestUri).build();
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
-		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/custom-login");
+		assertThat(this.response.getRedirectedUrl()).matches("/custom-login");
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -1212,7 +1212,7 @@ public void requestWhenFormLoginAndResourceServerEntryPointsThenSessionCreatedBy
 		MvcResult result = this.mvc.perform(get("/authenticated")
 				.header("Accept", "text/html"))
 				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("http://localhost/login"))
+				.andExpect(redirectedUrl("/login"))
 				.andReturn();
 		// @formatter:on
 		assertThat(result.getRequest().getSession(false)).isNotNull();