In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".

That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".