SEC-1790: Disable use of spring-security-redirect by default for SimpleUrlLogoutSuccesshandler.

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java

@@ -30,8 +30,8 @@ import org.springframework.util.StringUtils;
  * will be used for the destination.
  * </li>
  * <li>
- * If a parameter matching the <tt>targetUrlParameter</tt> has been set on the request, the value will be used as
- * the destination.
+ * If a parameter matching the value of <tt>targetUrlParameter</tt> has been set on the request, the value will be used
+ * as the destination. By default this has the value "spring-security-redirect".
  * </li>
  * <li>
  * If the <tt>useReferer</tt> property is set, the "Referer" HTTP header value will be used, if present.
@@ -154,7 +154,9 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
      *  to "spring-security-redirect".
      */
     public void setTargetUrlParameter(String targetUrlParameter) {
-        Assert.hasText(targetUrlParameter, "targetUrlParameter cannot be null or empty");
+        if (!StringUtils.hasText(targetUrlParameter)) {
+            targetUrlParameter = null;
+        }
         this.targetUrlParameter = targetUrlParameter;
     }
 

web/src/main/java/org/springframework/security/web/authentication/logout/SimpleUrlLogoutSuccessHandler.java

@@ -19,6 +19,10 @@ import org.springframework.security.web.authentication.AbstractAuthenticationTar
 public class SimpleUrlLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
         implements LogoutSuccessHandler {
 
+    public SimpleUrlLogoutSuccessHandler() {
+        super.setTargetUrlParameter(null);
+    }
+
     public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
             throws IOException, ServletException {
         super.handle(request, response, authentication);