Fallback defaultTargetUrl if refererHeader is empty

Closes gh-18805

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java

@@ -113,9 +113,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
 			trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);
 			return targetUrlParameterValue;
 		}
-		if (this.useReferer) {
-			trace("Using url %s from Referer header", request.getHeader("Referer"));
-			return request.getHeader("Referer");
+
+		String refererHeader = request.getHeader("Referer");
+		if (this.useReferer && StringUtils.hasText(refererHeader)) {
+			trace("Using url %s from Referer header", refererHeader);
+			return refererHeader;
 		}
 		return this.defaultTargetUrl;
 	}

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java

@@ -114,4 +114,11 @@ public class AbstractAuthenticationTargetUrlRequestHandlerTests {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));
 	}
 
+	@Test
+	void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {
+		this.handler.setUseReferer(true);
+		this.request.addHeader("Referer", "");
+		assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);
+	}
+
 }