14 年之前 · eeb466b613
--- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
@@ -50,13 +50,11 @@ import org.springframework.util.StringUtils;
 
				  */
			
 
				 public abstract class AbstractAuthenticationTargetUrlRequestHandler {
			
 
				 
			
 
				-    public static final String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";
			
 
				     protected final Log logger = LogFactory.getLog(this.getClass());
			
 
				-    private String targetUrlParameter = DEFAULT_TARGET_PARAMETER;
			
 
				+    private String targetUrlParameter = null;
			
 
				     private String defaultTargetUrl = "/";
			
 
				     private boolean alwaysUseDefaultTargetUrl = false;
			
 
				     private boolean useReferer = false;
			
 
				-    private boolean useTargetUrlparameter = false;
			
 
				     private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
			
 
				 
			
 
				     protected AbstractAuthenticationTargetUrlRequestHandler() {
			
@@ -90,7 +88,7 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
 
				         // Check for the parameter and use that if available
			
 
				         String targetUrl = null;
			
 
				 
			
 
				-        if (useTargetUrlparameter) {
			
 
				+        if (targetUrlParameter != null  ) {
			
 
				             targetUrl = request.getParameter(targetUrlParameter);
			
 
				 
			
 
				             if (StringUtils.hasText(targetUrl)) {
			
@@ -157,10 +155,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
 
				     }
			
 
				 
			
 
				     /**
			
 
				-     * The current request will be checked for this parameter before and the value used as the target URL if present.
			
 
				+     * If this property is set, the current request will be checked for this a parameter with this name
			
 
				+     * and the value used as the target URL if present.
			
 
				      *
			
 
				-     *  @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults
			
 
				-     *  to "spring-security-redirect".
			
 
				+     * @param targetUrlParameter the name of the parameter containing the encoded target URL. Defaults
			
 
				+     * to null.
			
 
				      */
			
 
				     public void setTargetUrlParameter(String targetUrlParameter) {
			
 
				         Assert.hasText("targetUrlParameter canot be null or empty");
			
@@ -189,13 +188,4 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
 
				         this.useReferer = useReferer;
			
 
				     }
			
 
				 
			
 
				-    /**
			
 
				-     * If set to {@code true} the request parameter {@code targetUrlParameter} will be used (if available). Defaults
			
 
				-     * to {@code false}.
			
 
				-     *
			
 
				-     * @param useTargetUrlparameter
			
 
				-     */
			
 
				-    public void setUseTargetUrlparameter(boolean useTargetUrlparameter) {
			
 
				-        this.useTargetUrlparameter = useTargetUrlparameter;
			
 
				-    }
			
 
				 }
			
--- a/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationSuccessHandlerTests.java
@@ -42,20 +42,34 @@ public class SimpleUrlAuthenticationSuccessHandlerTests {
 
				      * SEC-213
			
 
				      */
			
 
				     @Test
			
 
				-    public void targetUrlParameterIsUsedIfPresent() throws Exception {
			
 
				+    public void targetUrlParameterIsUsedIfPresentAndParameterNameIsSet() throws Exception {
			
 
				         SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget");
			
 
				-        ash.setUseTargetUrlparameter(true);
			
 
				-        ash.setTargetUrlParameter("targetUrl");
			
 
				         MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				         MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				-
			
 
				         request.setParameter("targetUrl", "/target");
			
 
				 
			
 
				         ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
			
 
				+        assertEquals("/defaultTarget", response.getRedirectedUrl());
			
 
				 
			
 
				+        // Try with parameter set
			
 
				+        ash.setTargetUrlParameter("targetUrl");
			
 
				+        response = new MockHttpServletResponse();
			
 
				+        ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
			
 
				         assertEquals("/target", response.getRedirectedUrl());
			
 
				     }
			
 
				 
			
 
				+    @Test
			
 
				+    public void refererIsUsedIfUseRefererIsSet() throws Exception {
			
 
				+        SimpleUrlAuthenticationSuccessHandler ash = new SimpleUrlAuthenticationSuccessHandler("/defaultTarget");
			
 
				+        MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				+        MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				+        ash.setUseReferer(true);
			
 
				+        request.addHeader("Referer", "http://www.springsource.com/");
			
 
				+
			
 
				+        ash.onAuthenticationSuccess(request, response, mock(Authentication.class));
			
 
				+        assertEquals("http://www.springsource.com/", response.getRedirectedUrl());
			
 
				+    }
			
 
				+
			
 
				     /**
			
 
				      * SEC-297 fix.
			
 
				      */