The default instance of UrlValidator prevents us to use intranet domain names, which are not compliant to url validator. For example dev.somewhere.local is invalid because of local is not valid TLD.
class SpringSecurityOAuth2Controller {
...
def authenticate() {
String providerName = params.provider
if (StringUtils.isBlank(providerName)) {
throw new OAuth2Exception("No provider defined")
}
log.debug "authenticate ${providerName}"
String url = springSecurityOauth2BaseService.getAuthorizationUrl(providerName)
log.debug "redirect url from s2oauthservice=${url}"
//You cannot use internal/local urls because of this line
if (!UrlValidator.instance.isValid(url)) {
flash.message = "Authorization url for provider '${providerName}' is invalid."
redirect(controller: 'login', action: 'index')
}
redirect(url: url)
}
...
It is possible/reasonable to omit the validation or make it configurable e.g. by injecting the validator?
ivo-k
commented
1 week ago
The default instance of
UrlValidatorprevents us to use intranet domain names, which are not compliant to url validator. For example dev.somewhere.local is invalid because of local is not valid TLD.It is possible/reasonable to omit the validation or make it configurable e.g. by injecting the validator?