DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path.

web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java

@@ -73,6 +73,10 @@ public class DefaultRedirectStrategy implements RedirectStrategy {
 			return url;
 		}
 
+		if (!url.contains(contextPath)) {
+			return "";
+		}
+
 		// Calculate the relative URL from the fully qualified URL, minus the last
 		// occurrence of the scheme and base context.
 		url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme

web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java

@@ -56,4 +56,19 @@ public class DefaultRedirectStrategyTests {
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
+
+	@Test
+	public void contextRelativeShouldRedirectToRootIfURLDoesNotContainContextPath()
+		throws Exception {
+		DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+		rds.setContextRelative(true);
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setContextPath("/context");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		rds.sendRedirect(request, response,
+			"https://redirectme.somewhere.else");
+
+		assertThat(response.getRedirectedUrl()).isEqualTo("");
+	}
 }