Fix HX-Redirect to respect servlet context path

devondragon · devondragon · commit 7d77c1076bf7 · 2026-03-28T16:03:02.000-06:00
When server.servlet.context-path is set (e.g. /app), the HX-Redirect
header and loginUrl JSON field now correctly include the context path
(e.g. /app/user/login.html) matching LoginUrlAuthenticationEntryPoint
behavior.

Found by Codex review.
diff --git a/src/main/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPoint.java b/src/main/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPoint.java
@@ -57,11 +57,16 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
                 return;
             }
 
+            // Prepend the servlet context path so deployments with server.servlet.context-path work correctly.
+            // LoginUrlAuthenticationEntryPoint does the same when building its redirect URL.
+            String contextPath = request.getContextPath();
+            String fullLoginUrl = contextPath + loginUrl;
+
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
             response.setCharacterEncoding("UTF-8");
             response.setContentType("application/json;charset=UTF-8");
-            response.setHeader(HX_REDIRECT_HEADER, loginUrl);
-            String escapedLoginUrl = loginUrl
+            response.setHeader(HX_REDIRECT_HEADER, fullLoginUrl);
+            String escapedLoginUrl = fullLoginUrl
                     .replace("\\", "\\\\")
                     .replace("\"", "\\\"")
                     .replace("\n", "\\n")
diff --git a/src/test/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPointTest.java b/src/test/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPointTest.java
@@ -59,6 +59,7 @@ class HtmxRequestHandling {
         @BeforeEach
         void setUp() throws IOException {
             when(request.getHeader("HX-Request")).thenReturn("true");
+            when(request.getContextPath()).thenReturn("");
             responseBody = new StringWriter();
             when(response.getWriter()).thenReturn(new PrintWriter(responseBody));
         }
@@ -137,6 +138,7 @@ void shouldNotCallDelegateWhenHtmxRequestReceived() throws IOException, ServletE
         void shouldHandleHxRequestHeaderCaseInsensitively() throws IOException, ServletException {
             // Given
             when(request.getHeader("HX-Request")).thenReturn("TRUE");
+            when(request.getContextPath()).thenReturn("");
             AuthenticationException authException = new InsufficientAuthenticationException("Session expired");
 
             // When
@@ -148,6 +150,63 @@ void shouldHandleHxRequestHeaderCaseInsensitively() throws IOException, ServletE
         }
     }
 
+    @Nested
+    @DisplayName("Servlet Context Path Handling")
+    class ServletContextPathHandling {
+
+        private StringWriter responseBody;
+
+        @BeforeEach
+        void setUp() throws IOException {
+            when(request.getHeader("HX-Request")).thenReturn("true");
+            responseBody = new StringWriter();
+            when(response.getWriter()).thenReturn(new PrintWriter(responseBody));
+        }
+
+        @Test
+        @DisplayName("Should prepend context path to HX-Redirect header when context path is non-empty")
+        void shouldPrependContextPathToHxRedirectWhenContextPathIsNonEmpty() throws IOException, ServletException {
+            // Given
+            when(request.getContextPath()).thenReturn("/app");
+            AuthenticationException authException = new InsufficientAuthenticationException("Session expired");
+
+            // When
+            entryPoint.commence(request, response, authException);
+
+            // Then
+            verify(response).setHeader("HX-Redirect", "/app" + LOGIN_URL);
+        }
+
+        @Test
+        @DisplayName("Should include context path in JSON loginUrl when context path is non-empty")
+        void shouldIncludeContextPathInJsonLoginUrlWhenContextPathIsNonEmpty() throws IOException, ServletException {
+            // Given
+            when(request.getContextPath()).thenReturn("/app");
+            AuthenticationException authException = new InsufficientAuthenticationException("Session expired");
+
+            // When
+            entryPoint.commence(request, response, authException);
+
+            // Then
+            assertThat(responseBody.toString()).contains("\"loginUrl\":\"/app" + LOGIN_URL + "\"");
+        }
+
+        @Test
+        @DisplayName("Should use login URL as-is when context path is empty")
+        void shouldUseLoginUrlAsIsWhenContextPathIsEmpty() throws IOException, ServletException {
+            // Given
+            when(request.getContextPath()).thenReturn("");
+            AuthenticationException authException = new InsufficientAuthenticationException("Session expired");
+
+            // When
+            entryPoint.commence(request, response, authException);
+
+            // Then
+            verify(response).setHeader("HX-Redirect", LOGIN_URL);
+            assertThat(responseBody.toString()).contains("\"loginUrl\":\"" + LOGIN_URL + "\"");
+        }
+    }
+
     @Nested
     @DisplayName("Non-HTMX Request Handling")
     class NonHtmxRequestHandling {
