deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Andraschko <andraschko.tho...@gmail.com>
Subject Re: POST parameter will be added to URL in some cases
Date Thu, 23 Apr 2015 07:59:36 GMT
Hi,

thats actually how the LAZY mode works. The feature is called "initial
redirect".
We need to add all get params here because if you open e.g.
/index.xhtml?userId=1, we do a redirect to the same url with a new dswid.
If we would not collect all get params, the userId will be lost.

Don't know what JAAS exactly does. Can you give me some input? I don't
think that we currently skip the initial redirect on a post. I'm also not
sure if it's good in all cases to skip it on a post.

Regards,
Thomas

2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:

> Hi Thomas,
>
> I've checked and found out that the parameters will be added in
> "JsfUtils.addRequestParameters(externalContext, url, true);" within the
> method ClientWindowHelper#handleInitialRedirect.
>
> Regards
> Marco
>
>
>
> An:
> users@deltaspike.apache.org
> Betreff:
> Re: POST parameter will be added to URL in some cases
> Hi,
>
> please debug ClientWindowHelper#handleInitialRedirect and check if the
> j_password/j_username will be appended there and come back.
>
> Regards,
> Thomas
>
> 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
>
> > Hello,
> > we are using DeltaSpike in a web application, that is secured by JAAS,
> > running on EAP 6.x. The login form sends a POST request to
> > "j_security_check". If the login fails due to wrong username/password,
> the
> > user will be redirect to a login error page configured as "
> > form-error-page" in web.xml. In this case, the URL looks like
> > "
> >
>
> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > ".
> > The parameters j_username and j_password are added as GET parameters to
> > URL containing the values in plaintext.
> > If I remove DeltaSpike from the project, the URL looks like
> > "example.com/webapp/userLoginError.xhtml" without the parameters
> > j_username and j_password .
> > After login successfully, this problem doesn't occurs again if a POST
> > request was made on a secured page.
> > From my point of view it looks like a bug in DeltaSpike, because
> > DeltaSpike should only handle the parameter dswid and no other GET/POST
> > parameters.
> > Can you confirm or do you have any advice how can I prevent it?
> > Thank you very much in advance.
> > Best regards
> > Marco
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message