When passing parameters to a restricted URL without being authenticated we are experiencing a couple of issues: first of all, the parameters in the formatted (result) string are duplicated. Also after a successful authentication, the parameters are lost (not included in the URL).

Steps for reproduce it (eg, at our demo):

1. Go to configuration App --> server --> filters --> securityCallBack --> clientCallBacks --> travel-demo-pur --> location --> set the value: travel/members/login.html?redirectToThis={0}
2. Go to http://localhost:8080/magnoliaPublic/travel/members/protected.html?param1=value1
3. Magnolia redirect the user to the login page for members 
4. Do a proper login and check the resulting URL

There are some attached images that may help.

Added description of the related ticket MAGNOLIA-8038

In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".{}

That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".