SEC-1803: Add check in AbstractAuthenticationTargetUrlRequestHandler for null targetUrlParameter before attempting to read it from the request. Prevents NPE when targetUrlParameter is not set.

15 years ago · ee74c4ced2
1 changed files with 5 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
@ -83,7 +83,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
				@@ -83,7 +83,11 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
        }

        // Check for the parameter and use that if available
-        String targetUrl = request.getParameter(targetUrlParameter);
+        String targetUrl = null;
+
+        if (targetUrlParameter != null) {
+            targetUrl = request.getParameter(targetUrlParameter);
+        }

        if (StringUtils.hasText(targetUrl)) {
            try {