spring security - why to not use the 'spring-security-redirect' parameter in login forms to redirect to a particular page
By default, when the user submits the login form, and is authenticated, he is redirected to the last URL he wished to access, before he logged out (fetched from the request cache) or to the root URL. Additionally, if a 'spring-security-redirect' parameter is found with the form submission request, we are redirected to the value of that parameter.
I wish to use this feature, but in this thread, Luke Taylor mentioned that it would be a security risk, and we should use an additional form field for that purpose, and then customize our LoginSuccessHandler to retrieve and use that form field as we wish.
I am not able to understand the security risk he mentioned, and the reason we should not use a feature that Spring Security has already provided, instead of using our own custom logic. My reasons for wanting to use the functionality are the same as that of the OP in the above thread.
The Attack behinde is some kind of Cross-Site Request Forgery (CSRF-Attack)
If an Attacker (A) send an modified link to Some Person (B) and B have a short look at this link and see it is your application, he might click this link.
Person B enters his credentials and get looged in.
But now the redirect is executed, WITH THE CREDENTIALS OF THAT PERSON B!
So imagine you have an Application where each User can Spend some money by invoking http://yourApp/spendSomeMoney=100 -- (The first fault in that application would be that this is a GET and not a POST)
Now imagine (A) send (B) this link: http://yourApp/login.jsp?spring-security-redirect=http://yourApp/spendSomeMoney=100
You see the problem.
In general I would stongly recommend to use some CSRF protection filter, no matter I you use that redirect or not.