Whitelist for redirect URLs in spring boot

Question

We have a security issue in our project. An attacker can intercept a login request and modify a 'Host' header in it. The server would respond with a redirect (303), sending user to a possibly evil site.

Is it possible to add a whitelist for redirects?

Using Spring-boot with embedded tomcat, in production this whole thing will be behind a load balancer.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http  //@formatter:off
        .formLogin()
            .loginProcessingUrl("...")
            .usernameParameter("...")
            .passwordParameter("...")
            .loginPage("/").permitAll()
            .successHandler(authenticationSuccessHandler)
            .failureHandler(authenticationFailureHandler)
        .and().logout().permitAll()
            .logoutSuccessHandler(logoutSuccessHandler)
            .deleteCookies(XSRF_TOKEN, JSESSIONID)
        .and().authorizeRequests()
        .antMatchers("...").permitAll().anyRequest().authenticated()
        .and().csrf().csrfTokenRepository(csrfTokenRepository)
        .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
        .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);//@formatter:on
}

Until now I have tried the following:

1. to use TomcatEmbeddedServletContainerFactory and adding a Valve there.
2. to use FilterRegistrationBean and using a RemoteAddrFilter.setDeny().

The 1° option wouldn't start at all. I'm obviously making mistakes somewhere, but this information is hard to find and I don't have the complete picture in my head of what to do.

The 2° option I found here on Stackoverflow and it feels the right thing to do, but I failed to make it work. If setDeny() is present, it wouldn't even let me enter my web-site. If I comment it out, then looks like no filtering happen at all. The bean looks like this:

@Bean
    public FilterRegistrationBean remoteAddressFilter() {

        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        RemoteAddrFilter filter = new RemoteAddrFilter();

        filter.setDeny("attacker/.com.*");
        filter.setDenyStatus(404);

        filterRegistrationBean.setFilter(filter);
        filterRegistrationBean.addUrlPatterns("/*");

        return filterRegistrationBean;
    }

Thanks in advance for any kind of help.

Answer 1

This is an Old question. But adding an answer as Spring has added support for whitelisting in Spring security 4.2.17 and 5.2. This might be useful for others who stumble on same thing
In security config,

@Override
    public void configure(WebSecurity web) throws Exception {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowedHostnames(Arrays.asList("myhostname1","myhostname2"));
        web.httpFirewall(firewall);
    }

It will throw org.springframework.security.web.firewall.RequestRejectedException with message like "The request was rejected because the domain www.attackersite.com is untrusted."

If you don't want all the features of StrictHttpFirewall, you can extend HttpFirewall and add your own implementation.