Merge pull request #1727 from lprimak/redirect-follows-https

[#1762] enh: follow desired request scheme when doing redirection

Author: lprimak

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormAuthenticationFilter.java

@@ -81,7 +81,7 @@ protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, Ser
                                      ServletResponse response) throws Exception {
         if (request instanceof HttpServletRequest) {
             FallbackPredicate loginFallbackType = (FallbackPredicate) request.getAttribute(LOGIN_PREDICATE_ATTR_NAME);
-            redirectToSaved(WebUtils.toHttp(request), WebUtils.toHttp(response), loginFallbackType, "");
+            redirectToSaved(WebUtils.toHttp(request), WebUtils.toHttp(response), loginFallbackType, "/");
         }
         return false;
     }

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java

@@ -93,7 +93,7 @@ public boolean isLoggedIn() {
         }
 
         public boolean redirectIfLoggedIn() {
-            return redirectIfLoggedIn("");
+            return redirectIfLoggedIn("/");
         }
 
         public boolean redirectIfLoggedIn(String view) {
@@ -155,7 +155,7 @@ public static void redirectToView(FallbackPredicate useFallbackPath, String fall
     public static void login(String username, String password, boolean rememberMe) {
         try {
             SecurityUtils.getSubject().login(new UsernamePasswordToken(username, password, rememberMe));
-            redirectToSaved(Faces.getRequestAttribute(LOGIN_PREDICATE_ATTR_NAME), "");
+            redirectToSaved(Faces.getRequestAttribute(LOGIN_PREDICATE_ATTR_NAME), "/");
         } catch (AuthenticationException e) {
             Faces.setFlashAttribute(DEFAULT_ERROR_KEY_ATTRIBUTE_NAME, e);
             int loginFailedWaitTime = Faces.getRequestAttribute(LOGIN_WAITTIME_ATTR_NAME);

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/ShiroFilter.java

@@ -50,6 +50,7 @@
 import org.apache.shiro.session.SessionException;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.subject.SubjectContext;
+import static org.apache.shiro.ee.listeners.EnvironmentLoaderListener.isShiroEERedirectDisabled;
 import static org.apache.shiro.web.filter.authz.SslFilter.HTTPS_SCHEME;
 import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
 import org.apache.shiro.web.mgt.WebSecurityManager;
@@ -58,6 +59,7 @@
 import org.apache.shiro.web.subject.WebSubjectContext;
 import org.apache.shiro.web.util.WebUtils;
 import org.omnifaces.util.Servlets;
+import org.omnifaces.util.Utils;
 
 /**
  * Stops JEE server from interpreting Shiro principal as direct EJB principal,
@@ -83,7 +85,7 @@ private static class WrappedRequest extends ShiroHttpServletRequest {
         @Getter(value = AccessLevel.PRIVATE, lazy = true)
         private final boolean httpsNeeded = createHttpButNeedHttps();
         @Getter(value = AccessLevel.PRIVATE, lazy = true)
-        private final StringBuffer secureRequestURL = rewriteHttpToHttps();
+        private final StringBuffer secureRequestURL = httpsRequestURL();
 
         WrappedRequest(HttpServletRequest wrapped, ServletContext servletContext, boolean httpSessions) {
             super(wrapped, servletContext, httpSessions);
@@ -127,7 +129,7 @@ private boolean createHttpButNeedHttps() {
                             .getHeader(X_FORWARDED_PROTO));
         }
 
-        private StringBuffer rewriteHttpToHttps() {
+        private StringBuffer httpsRequestURL() {
             return new StringBuffer(HTTP_TO_HTTPS.matcher(super.getRequestURL())
                     .replaceFirst(HTTPS_SCHEME + "$1"));
         }
@@ -147,6 +149,15 @@ public void addCookie(Cookie cookie) {
                 super.addCookie(cookie);
             }
         }
+
+        @Override
+        public void sendRedirect(String location) throws IOException {
+            if (!Utils.startsWithOneOf(location, "http://", "https://")
+                    && !isShiroEERedirectDisabled(request.getServletContext())) {
+                location = Servlets.getRequestDomainURL(WebUtils.toHttp(request)) + location;
+            }
+            super.sendRedirect(location);
+        }
     }
 
     @RequiredArgsConstructor

support/jakarta-ee/src/main/java/org/apache/shiro/ee/listeners/EnvironmentLoaderListener.java

@@ -33,6 +33,7 @@
 @WebListener
 public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {
     private static final String SHIRO_EE_DISABLED_PARAM = "org.apache.shiro.ee.disabled";
+    private static final String SHIRO_EE_REDIRECT_DISABLED_PARAM = "org.apache.shiro.ee.redirect.disabled";
     private static final String FORM_RESUBMIT_DISABLED_PARAM = "org.apache.shiro.form-resubmit.disabled";
     private static final String FORM_RESUBMIT_SECURE_COOKIES = "org.apache.shiro.form-resubmit.secure-cookies";
     private static final String SHIRO_WEB_DISABLE_PRINCIPAL_PARAM = "org.apache.shiro.web.disable-principal";
@@ -41,6 +42,10 @@ public static boolean isShiroEEDisabled(ServletContext ctx) {
         return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_EE_DISABLED_PARAM));
     }
 
+    public static boolean isShiroEERedirectDisabled(ServletContext ctx) {
+        return Boolean.TRUE.equals(ctx.getAttribute(SHIRO_EE_REDIRECT_DISABLED_PARAM));
+    }
+
     public static boolean isFormResubmitDisabled(ServletContext ctx) {
         return Boolean.TRUE.equals(ctx.getAttribute(FORM_RESUBMIT_DISABLED_PARAM));
     }
@@ -58,6 +63,9 @@ public void contextInitialized(ServletContextEvent sce) {
         if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_EE_DISABLED_PARAM))) {
             sce.getServletContext().setAttribute(SHIRO_EE_DISABLED_PARAM, Boolean.TRUE);
         }
+        if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(SHIRO_EE_REDIRECT_DISABLED_PARAM))) {
+            sce.getServletContext().setAttribute(SHIRO_EE_REDIRECT_DISABLED_PARAM, Boolean.TRUE);
+        }
         if (Boolean.parseBoolean(sce.getServletContext().getInitParameter(FORM_RESUBMIT_DISABLED_PARAM))) {
             sce.getServletContext().setAttribute(FORM_RESUBMIT_DISABLED_PARAM, Boolean.TRUE);
         }