Fallback defaultTargetUrl if refererHeader is empty

ngocnhan-tran1996 · jzheaux · commit 178ca56aaf03 · 2026-03-25T15:19:29.000-06:00
Closes gh-18805 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
@@ -112,9 +112,11 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo
 			trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);
 			return targetUrlParameterValue;
 		}
-		if (this.useReferer) {
-			trace("Using url %s from Referer header", request.getHeader("Referer"));
-			return request.getHeader("Referer");
+
+		String refererHeader = request.getHeader("Referer");
+		if (this.useReferer && StringUtils.hasText(refererHeader)) {
+			trace("Using url %s from Referer header", refererHeader);
+			return refererHeader;
 		}
 		return this.defaultTargetUrl;
 	}
diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java
@@ -114,4 +114,11 @@ void setRedirectStrategyWhenGivenNullThenThrowsException() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));
 	}
 
+	@Test
+	void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {
+		this.handler.setUseReferer(true);
+		this.request.addHeader("Referer", "");
+		assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -112,9 +112,11 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo`
`112`	`112`	`trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);`
`113`	`113`	`return targetUrlParameterValue;`
`114`	`114`	`}`
`115`		`- if (this.useReferer) {`
`116`		`- trace("Using url %s from Referer header", request.getHeader("Referer"));`
`117`		`- return request.getHeader("Referer");`
	`115`	`+`
	`116`	`+ String refererHeader = request.getHeader("Referer");`
	`117`	`+ if (this.useReferer && StringUtils.hasText(refererHeader)) {`
	`118`	`+ trace("Using url %s from Referer header", refererHeader);`
	`119`	`+ return refererHeader;`
`118`	`120`	`}`
`119`	`121`	`return this.defaultTargetUrl;`
`120`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -114,4 +114,11 @@ void setRedirectStrategyWhenGivenNullThenThrowsException() {`
`114`	`114`	`assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));`
`115`	`115`	`}`
`116`	`116`
	`117`	`+ @Test`
	`118`	`+ void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {`
	`119`	`+ this.handler.setUseReferer(true);`
	`120`	`+ this.request.addHeader("Referer", "");`
	`121`	`+ assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);`
	`122`	`+ }`
	`123`	`+`
`117`	`124`	`}`