enh: follow desired request scheme when doing redirection

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormAuthenticationFilter.java

@@ -81,7 +81,7 @@ protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, Ser
                                      ServletResponse response) throws Exception {
         if (request instanceof HttpServletRequest) {
             FallbackPredicate loginFallbackType = (FallbackPredicate) request.getAttribute(LOGIN_PREDICATE_ATTR_NAME);
-            redirectToSaved(WebUtils.toHttp(request), WebUtils.toHttp(response), loginFallbackType, "");
+            redirectToSaved(WebUtils.toHttp(request), WebUtils.toHttp(response), loginFallbackType, "/");
         }
         return false;
     }

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/Forms.java

@@ -93,7 +93,7 @@ public boolean isLoggedIn() {
         }
 
         public boolean redirectIfLoggedIn() {
-            return redirectIfLoggedIn("");
+            return redirectIfLoggedIn("/");
         }
 
         public boolean redirectIfLoggedIn(String view) {
@@ -155,7 +155,7 @@ public static void redirectToView(FallbackPredicate useFallbackPath, String fall
     public static void login(String username, String password, boolean rememberMe) {
         try {
             SecurityUtils.getSubject().login(new UsernamePasswordToken(username, password, rememberMe));
-            redirectToSaved(Faces.getRequestAttribute(LOGIN_PREDICATE_ATTR_NAME), "");
+            redirectToSaved(Faces.getRequestAttribute(LOGIN_PREDICATE_ATTR_NAME), "/");
         } catch (AuthenticationException e) {
             Faces.setFlashAttribute(DEFAULT_ERROR_KEY_ATTRIBUTE_NAME, e);
             int loginFailedWaitTime = Faces.getRequestAttribute(LOGIN_WAITTIME_ATTR_NAME);

support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/ShiroFilter.java

@@ -58,6 +58,7 @@
 import org.apache.shiro.web.subject.WebSubjectContext;
 import org.apache.shiro.web.util.WebUtils;
 import org.omnifaces.util.Servlets;
+import org.omnifaces.util.Utils;
 
 /**
  * Stops JEE server from interpreting Shiro principal as direct EJB principal,
@@ -83,7 +84,7 @@ private static class WrappedRequest extends ShiroHttpServletRequest {
         @Getter(value = AccessLevel.PRIVATE, lazy = true)
         private final boolean httpsNeeded = createHttpButNeedHttps();
         @Getter(value = AccessLevel.PRIVATE, lazy = true)
-        private final StringBuffer secureRequestURL = rewriteHttpToHttps();
+        private final StringBuffer secureRequestURL = httpsRequestURL();
 
         WrappedRequest(HttpServletRequest wrapped, ServletContext servletContext, boolean httpSessions) {
             super(wrapped, servletContext, httpSessions);
@@ -127,7 +128,7 @@ private boolean createHttpButNeedHttps() {
                             .getHeader(X_FORWARDED_PROTO));
         }
 
-        private StringBuffer rewriteHttpToHttps() {
+        private StringBuffer httpsRequestURL() {
             return new StringBuffer(HTTP_TO_HTTPS.matcher(super.getRequestURL())
                     .replaceFirst(HTTPS_SCHEME + "$1"));
         }
@@ -147,6 +148,14 @@ public void addCookie(Cookie cookie) {
                 super.addCookie(cookie);
             }
         }
+
+        @Override
+        public void sendRedirect(String location) throws IOException {
+            if (!Utils.startsWithOneOf(location, new String[]{"http://", "https://"})) {
+                location = Servlets.getRequestDomainURL(WebUtils.toHttp(request)) + location;
+            }
+            super.sendRedirect(location);
+        }
     }
 
     @RequiredArgsConstructor