Spring Web vulnerable to Open Redirect or Server Side Request Forgery